NOT PROTECTIVELY MARKED

Transcription

1 NOT PROTECTIVELY MARKED MEETING TITLE Audit Committee Public Session DATE 23 August 2017 PAPER TITLE IT Service Delivery ITEM NO 6.5 PREPARED BY Gary Devlin PURPOSE This paper presents our final report on the review of ICT Service Delivery which was conducted in March/ April The paper is presented in line with the Internal Audit contract with Scottish Police Authority. BACKGROUND During March/April 2017, we conducted a review of ICT Service Delivery in line with the 2016/17 Internal Audit Plan. It is essential that an organisation of the scale of Police Scotland has effective and efficient measures in place to deliver consistently high standards of ICT delivery to its customers. Increasingly, ICT departments are implementing or aligning themselves with accepted industry best practice standards for IT service delivery. This includes ITIL (IT Infrastructure Library), COBIT and ISO20000, the ICT service management standard. This adoption and implementation of good practice should ensure that there are consistently applied processes and clear practices in place within IT departments. It should also create a culture of efficiency and Audit Committee Progress Report of 2017/18 Internal Audit Plan 23 August 2017 NOT PROTECTIVELY MARKED 1

2 NOT PROTECTIVELY MARKED continuous improvement in ensuring the delivery of strategic and operational objectives. Our reviewed assessed, at a high level, the service and support management processes within the Police Scotland ICT team to assess the degree of compliance with recognised leading practice. ISO20000 was used as the basis of our assessment as it is controls based. We recognise that Police Scotland ICT has no plans to seek formal certification against this standard. 13 controls were reviewed and the attached report summarises the observations, recommendations and management responses in detail. Following on from receipt of the draft report further engagement sessions were held to ensure that the final report was reflective and in agreement with both parties. Each observation and recommendation has a management response with owner and date. All recommendations have been accepted as detailed within the attached report. FURTHER DETAIL ON REPORT TOPIC Out of 13 controls, 3 are assessed as Red (The control procedures in place are not effective - inadequate management of key risks), 8 are assessed as yellow (No major weaknesses in control but scope for improvement) and 2 Green (Adequate and effective controls which are operating satisfactorily). This report highlighted the need for improvement in three key areas: Service Continuity and Availability, Capacity Management and Configuration Management. Service Continuity and Availability Our review of Business Continuity Planning, which was presented to the April 2017 Audit & Risk Committee, identified weaknesses in ICT recovery plans. Additionally to those findings, this review has identified that processes do not ensure that ICT recovery plans are Audit Committee Progress Report of 2017/18 Internal Audit Plan 23 August 2017 NOT PROTECTIVELY MARKED 2

3 NOT PROTECTIVELY MARKED subject to review and update in response to changes to the network or business applications. Capacity Management We also identified that ICT has not established formal processes for technical capacity planning. Currently, capacity management is limited to monitoring disk usage. There was no process of engagement with customers to establish their future technical capacity requirements in order to enable appropriate technology and storage to be in place to meet their demand. This is a critical element of effective ICT planning which ensures that customers have the ability to use technology effectively and efficiently even at times of high demand on ICT capacity. Configuration Management A further area where improvement is required is in relation to configuration management processes and, in particular, the establishment and maintenance of a Configuration Management database (CMDB). This is a critical process area supporting change, problem and incident management processes by maintaining accurate records of all IT assets. Management is aware of this gap and stated that they have created a work plan in order to implement a CMDB by mid All recommendations contained within the report have been accepted with action owners and timescales for completion assigned. Next steps: We will follow up management responses contained within the report on a periodic basis to monitor progress being made towards implementing management actions. FINANCIAL IMPLICATIONS There are no financial implications arising as a direct result of this report. PERSONNEL IMPLICATIONS There are no personnel implications associated with this report. LEGAL IMPLICATIONS There are no legal implications associated with this report. Audit Committee Progress Report of 2017/18 Internal Audit Plan 23 August 2017 NOT PROTECTIVELY MARKED 3

4 NOT PROTECTIVELY MARKED REPUTATIONAL IMPLICATIONS There are no reputational implications arising from with report. SOCIAL IMPLICATIONS There are no social implications directly associated with this report. COMMUNITY IMPACT There are no community impact implications directly associated with this report. EQUALITIES IMPLICATIONS There are no equalities implications directly associated with this report. ENVIRONMENTAL IMPLICATION There are no environmental implications associated with this report. RECOMMENDATIONS Members are requested to: Note the content of this report. Audit Committee Progress Report of 2017/18 Internal Audit Plan 23 August 2017 NOT PROTECTIVELY MARKED 4

5 Scottish Police Authority Internal Audit Report ICT Service Delivery June 2017

6

7 Scottish Police Authority Internal Audit Report ICT Service Delivery Introduction 1 Summary of findings 2 Conclusion 4 Management Action Plan 6

8

9 Introduction In March and April 2017 we conducted a review of the IT service delivery processes within Police Scotland IT. The review was performed in accordance with the 2016/17 Internal Audit Plan. Background It is essential that an organisation of the scale of Police Scotland has effective and efficient measures in place to deliver consistently high standards of ICT delivery to its customers. Increasingly, ICT departments are implementing or aligning themselves with accepted industry best practice standards for IT service delivery. This includes ITIL (IT Infrastructure Library), COBIT and ISO20000, the ICT service management standard. This adoption and implementation of good practice should ensure that there are consistently applied processes and clear practices in place within IT departments. It should also create a culture of efficiency and continuous improvement in ensuring the delivery of strategic and operational objectives. Scope Our audit reviewed, at a high level, the service and support management processes within the Police Scotland ICT team to assess the degree of compliance with recognised leading practice. ISO20000 was used as the basis of our assessment as it is controls based. We recognise that Police Scotland ICT has no plans to seek formal certification against this standard. Controls relating to Release Management and Business Continuity Planning were excluded from this audit. These controls are considered in more detail in our Software Development Testing and Business Continuity Planning audits respectively. The control objectives for this audit, along with our assessment of the controls in place to meet each objective, are set out in the Summary of Findings. Acknowledgements We would like to thank all staff consulted during this review for their assistance and co-operation. scott-moncrieff.com Scottish Police Authority ICT Service Delivery 1

10 Summary of findings The table below summarises our assessment of the adequacy and effectiveness of the controls in place to meet each of the objectives agreed for this audit. Further details, along with any improvement actions, are set out in the Management Action Plan. No Control Objective Control objective assessment Action rating Service continuity and availability management RED 1 2 Capacity management RED 1 3 Configuration management RED Service level management YELLOW 2 5 Problem management YELLOW 1 6 Change control YELLOW 1 7 Planning for new service provision YELLOW 1 8 Budgeting and accounting YELLOW 1 9 Information security management YELLOW Business relationship management YELLOW Supplier management YELLOW 1 12 Service reporting GREEN 13 Incident Management GREEN Assessment Definition BLACK Fundamental absence or failure of key control procedures - immediate action required. RED The control procedures in place are not effective - inadequate management of key risks. 2 Scottish Police Authority ICT Service Delivery

11 Assessment YELLOW Definition No major weaknesses in control but scope for improvement. GREEN Adequate and effective controls which are operating satisfactorily. scott-moncrieff.com Scottish Police Authority ICT Service Delivery 3

12 Conclusion At the outset of our review, ICT management stated that a number of ICT service delivery processes were still maturing. This assessment was borne out by our audit work. In the context of ongoing pressures on resourcing and funding, the core priority for ICT management is to establish fit for purpose service delivery processes which manage the significant risks to ICT delivery. Where appropriate and cost effective ICT management aim to deliver services in line with recognised leading practices. ICT service delivery is constituted of a number of areas. Of these, our audit work identified several areas where processes were established and effective. This included Incident Management processes which is an area that is typically the key interface between ICT and customers. We also noted that there are a number of reports produced by ICT both corporately and for customers and it will remain important that the format and content of reports is subject to regular review to support appropriate review and continuous improvement. We also identified that a detailed change management process was in place with a dedicated Change Advisory Board being in place for changes to the C3 (Command and Control) system. Our work highlighted the need for improvement in three areas: Service Continuity and Availability, Capacity Management and Configuration Management. We have provided a summary of weaknesses in each of these areas below. Service Continuity and Availability Our review of Business Continuity Planning, which was presented to the April 2017 Audit & Risk Committee, identified weaknesses in ICT recovery plans. Additionally to those findings, this review has identified that processes do not ensure that ICT recovery plans are subject to review and update in response to changes to the network or business applications. Capacity Management We also identified that ICT has not established formal processes for technical capacity planning. Currently, capacity management is limited to monitoring disk usage. There was no process of engagement with customers to establish their future technical capacity requirements in order to enable appropriate technology and storage to be in place to meet their demand. This is a critical element of effective ICT planning which ensures that customers have the ability to use technology effectively and efficiently even at times of high demand on ICT capacity. Configuration Management A further area where improvement is required is in relation to configuration management processes and, in particular, the establishment and maintenance of a Configuration Management database (CMDB). This is a critical process area supporting change, problem and incident management processes by maintaining accurate records of all IT assets. Management is aware of this gap and have created a work plan in order to implement a CMDB by mid As stated above, ICT management recognise that there are maturing processes in a number of areas. In recognition of the competing challenges on resources, a formal programme of work should be developed in order to set out the timetable and resource requirement to implement the target ICT service delivery model for ICT. 4 Scottish Police Authority ICT Service Delivery

13 Main Findings In addition to those issues listed in the Conclusion above, we have set out further key issues arising from our audit below. At the time of our audit there was no service catalogue detailing the services provided by ICT to its customer base. There was also no Service Level Agreement (SLA) with customers which makes them aware of the levels of service that they should expect to receive from ICT. It is the case that all recorded incidents are assigned a priority which determines the response and resolution timescale. Whilst ICT has established a formal approach for the management of ICT projects (based on the PRINCE2 methodology), this methodology is not always followed. Although there is monitoring and reporting of downtime, this is only reported at server level. This does not provide information on services and applications impacted by the downtime. We recognise that this will be challenging due to the scale of live applications on the Police Scotland ICT estate. Problem management is the process of determining the root cause of incidents and determining the resolution of them. It also includes the process of ensuring that the resolution is implemented. We found that procedures have not been documented and approved by ICT management. Whilst change requestors are required to identify rollback procedures through the Request for Change (RFC) template, we found that RFCs contained a limited amount of detail on how the change would be rolled-back. Further details of the points noted above, as well as a number of less significant issues are included in the Management Action Plan. scott-moncrieff.com Scottish Police Authority ICT Service Delivery 5

14 Management Action Plan In order to provide information regarding the priority/seriousness of our report findings, a ranking of the findings has been provided. The rankings are as follows: Risk rating Definition 5 Very high risk exposure Major concerns requiring immediate Board attention. 4 High risk exposure - Absence / failure of significant key controls. 3 Moderate risk exposure - Not all key control procedures are working effectively. 2 Limited risk exposure - Minor control procedures are not in place / not working effectively. 1 Efficiency / housekeeping point. 6 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

15 1 Control objective: Service continuity and availability management. Observation and Risk Recommendation Management Response 1.1 Business changes and testing Our audit found that ICT has not established formal procedures to update ICT recovery plans as necessary following changes made to the technology environment. We also noted that ICT recovery plans have not been subject to formal testing to confirm that they are capable of supporting the response to a business or ICT interruption. Due to the high volume of changes over critical systems, there is a risk that, if ICT recovery plans are not updated in light of changes to made to the technology environment, they may not be capable of supporting the response to a business interruption. This could result in unforeseen delays in restoring the recovery of ICT services to users. This could also result in negative publicity if there was an impact on public services. We recommend that formal processes are established within the change management process whereby the impact on ICT recovery and/or, where appropriate, business continuity plans is considered. Where the change has an impact, the ICT recovery plan should be updated as necessary. We also recommend that ICT recovery plans are subject to regular testing to confirm that they are capable of supporting an effective and efficient response to a disaster. Recommendation accepted. The Change process will be developed to incorporate impact on ICT recovery following changes to the ICT environment focused against critical services. This is alongside the recommendations from the Business Continuity audit should link the ICT recovery plans within the business BC s. This will be completed by the end of December Business Continuity test strategies are owned and managed by the central Police Scotland Business Continuity Plans and testing is conducted through this mechanism. A DR test plan and strategy will be focussed against critical infrastructure. The delivery of this recommendation is dependent on the current staffing challenges within the ICT Service Management and Service Delivery function. To be actioned by: ICT Director/Head of Service Management No later than: 31 March 2018 Priority 4 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 7

16 2 Control objective: Capacity Management. Observation and Risk Recommendation Management Response 2.1 Capacity planning Capacity planning is the exercise by which future technical ICT demands are sized based on forecast user requirements. ICT has not established a formal approach for capacity management. Currently, capacity management is limited to monitoring existing disk-usage. There are no formal processes for future capacity planning. Forward capacity planning is reactive and based on an estimate drawing on past usage. There is currently no formal process in place for engaging with customers of ICT to identify capacity needs. Due to the rapidly evolving and increasing need for ICT services by customers, failing to engage customers in assessing future capacity needs, creates a significant risk that customer needs will not be correctly anticipated and that, as such, ICT services may not be able to meet future customer demand. The capacity planning process should be enhanced to so that it identifies current technical capacity and forecasts the future demands based on historic trends, details of known projects, and input from customers. Timescales should be noted along with a corresponding proposal of how the future demand can be met. This process should form part of ICT strategic planning processes. In developing technical capacity plans, ICT should develop formal processes for data archiving to avoid unnecessary storage of data which no longer needs to be held in the live environment. Recommendation accepted. Capacity planning will form a core component of the ongoing project to consolidate our data centres in line with the corporate and operational policing requirements that are being defined following publication of the 2026 strategy. The process will be developed by the end of March Additionally, a roadmap outlining timescales and proposals will also be developed by the end of March Additional processes as outlined in the recommendation will follow on the development of the Capacity planning process. Expected to be no later than the end of June To be actioned by: Chief Technology Officer/Head of Applications and Development No later than: June 2018 Priority 4 8 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

17 3 Control objective: Configuration management. Observation and Risk Recommendation Management Response 3.1 Configuration management database (CMDB) Our review found that ICT has not yet established a complete CMDB. The ICT function has established a work plan in order to address this and, at the time of our audit, it was anticipated that a CMDB would be implemented in mid ICT management did state that this timescale is predicated on vacant posts being filled. Our audit work did not include review of this work plan to validate its completeness and accuracy. Without a complete CMDB in place, there is a risk that technology assets will not be appropriately managed. There is also a risk that, without a CMDB in place, ICT will not be able to conduct a robust risk and impact assessment when reviewing and approving change requests. We recommend that ICT develops a comprehensive CMDB. ICT should also ensure that appropriate processes and resources are in place to ensure that the CMDB is maintained in line with changes to configuration items (CIs). As part of the development of the CMDB, management should agree on the technical attributes of each configuration item within the ICT environment, including the relationship and dependencies between configuration items. Once the CMDB has been implemented, ICT should update workflows which record the CIs impacted by changes, problems and incidents. We also recommend that a regular audit of CIs is conducted to confirm the accuracy and completeness of the CMDB. This should include reconciliations between the CMDB and outputs from discovery tools. Recommendation accepted. ICT has developed a structure which will be responsible for the implementation and management of the CMDB. This was also recognised in the Audit Scotland review last year. All of the detail within the recommendation will be considered through the development of the roadmap including the corresponding processes, technical attributes and relationships/ dependencies. However, this is subject to ensuring the team are in place. To be actioned by: Head of Service Management No later than: Development of items within Roadmap - October 2018 Review/Audit to be conducted 6 months after implementation and 6 monthly thereafter. Priority 4 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 9

18 Observation and Risk Recommendation Management Response 3.2 Software master copy repository There remain significant volumes of legacy software in use across the Service. Much of this is locally used and managed as it is native to the legacy Force structure. ICT has no role in the management and storage of the master copies of this software. ICT is committed to taking a national approach towards ICT service delivery. A key part of this is to replace and consolidate legacy local software. This is currently a work in progress. We recognise that there is a software repository which contains master copies of software for solutions that ICT supports and manages. This also contains relevant supporting documentation. There is a risk that, without holding copies of all software in a central, accessible location, this may delay the recovery of applications in the event of a disaster. There is also a risk that there is a lack of clarity on licences held for these applications. ICT should identify and, where possible, should remove legacy-board specific software from use. Where possible, ICT should introduce national software solutions in order to provide better support and achieve efficiency gains. Where it is not possible to remove legacy software from use, ICT should seek to maintain mastercopies of the original software in the central repository. In recognition of the volume of legacy applications in use, we recommend that a riskbased approach is taken to this exercise. Recommendation accepted. There are a number of applications in use across legacy forces. ICT are working to remove these and standardise to drive down the number of applications and software installed. This is a part of our wider consolidation of our data centres in line with the corporate and operational policing requirements that are being defined following the publication of the 2026 strategy A review of software and location of master copy will be completed across the organisation focussing on priority systems/installations. To be actioned by: Chief Technology Officer/ Head of Applications and Development No later than: 31 March 2018 Priority 3 10 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

19 4 Control objective: Service level management. Observation and Risk Recommendation Management Response 4.1 Service level agreements (SLAs) Service level agreements (SLAs) define the service between a service provider (internal or external) and customers. As well as detailing the specific services that are to be provided, the SLA should also define service standards such as response times, and reporting processes. Currently, each incident recorded with the Service Desk is allocated a priority according to its severity (if the incident relates to C3, it will be assigned the highest priority). It is also assigned a response and resolution timescale based on the priority. There are no formal SLAs between ICT and customers though which set out reporting processes and specific services being provided. In addition to ongoing monitoring, ICT service availability and downtime is monitored and reported via monthly downtime reports. We noted that reporting is limited to server availability and does not report on affected services/ applications. This is due to the volume of applications (c700) operating across the Police Scotland ICT estate. (Continued over) We recommend that ICT management develop formal SLAs with all relevant business areas (i.e. customers). In developing SLAs, ICT management should assess the relative merits of creating a single, standard SLA against SLAs that are tailored to individual business areas (and their requirements/use of ICT services). Regardless of the option chosen, the SLAs should include targets (KPIs) for each service that ICT provides. These should be SMART and agreed by senior customers of each business area. SLAs should also be subject to regular review to ensure that they continue to satisfy the requirements of business areas. Furthermore, performance against SLAs should be reported to the customer as part of the service reporting process specifically highlighting any areas of non-conformance. Actions should be identified and implemented to improve the service. (Continued over) The Head of Service Delivery will develop SLAs around the initial response to Service Requests. SLAs relating to response and resolution around specific systems are detailed within the Service Management System (IT Connect). These SLAs will be reviewed to ensure that they are fit for purpose. 6 monthly review of SLAs will be conducted. KPIs across the department will be developed and will include KPIs for incident response. The services that ICT provides and systems that are supported are vast, therefore it cannot be confirmed that every Service will have a KPI attached. Service and Application availability reporting will form part of our KPIs in the future. However, timescales around this development will follow the initial set of KPIs following reduction of services and our application estate. To be actioned by: Head of Service Delivery No later than: 31 December 2017 Priority 3 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 11

20 Observation and Risk Recommendation Management Response 4.1 Service level agreements (SLAs) cont. In the absence of agreed SLAs, there is a risk that ICT delivers services that do not meet the needs of customers. There is also a risk that customer satisfaction with ICT service provision is not assessed and opportunities to improve process and performance are not identified. We also recommend that service and application availability is subject to formal monitoring and reporting. This should be reported against targets defined within SLAs. Trend analysis of service and application availability should be performed to allow any underlying causes of downtime to be identified and addressed. There is a risk that poor performance and availability will not be identified and addressed before it impacts on customers. This may result in users becoming dissatisfied, resulting in a loss of confidence and reputational damage. 12 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

21 Observation and Risk Recommendation Management Response 4.2 Service catalogue Whilst the Service Delivery team is aware of the services it provides, ICT has not yet documented the full range of services it provides to users in the form of a Service Catalogue. A Service Catalogue provides details of services available to customers along with the processes to request them. There is a risk that service users may not be aware of the range and limitations of services that ICT provides to customers (including Police Scotland, Forensics Services and SPA). There is also a risk that the absence of a service catalogue could result in unrealistic demands being made of ICT. We recommend that, to aid understanding of the extent and limitations of service provision, ICT should formally assess the merits of developing an ICT service catalogue. If it is agreed to produce an ICT service catalogue, it should include the following: A description of each service that can be provided; Any supporting or underpinning services; Timeframes, hours of availability and defined service levels; Who can receive the service; How to request the service (including authorisation channels); and Escalation points and key contacts within the service delivery team. Recommendation accepted. ICT will assess the merits of developing an ICT Service Catalogue. If it is accepted that a Service Catalogue is required then this will be produced to include the recommended information. Initial delivery against this recommendation may be limited to basic intranet content describing what ICT can provide. To be actioned by: Head of Service Delivery No later than: 31 December 2017 Priority 3 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 13

22 5 Control objective: Problem management. Observation and Risk Recommendation Management Response 5.1 Problem management procedures Our audit found that the current Problem Management process has been in place for over two years, however, supporting procedures, which are currently in draft, have yet to be formally approved by management. In addition, the version of the procedure provided was not complete. In particular, only 2 of the 15 procedures contained within Section 3.4 (Discrete Procedural Breakdown) were completed. We also noted from our review of the draft procedures that they do not reflect operational Problem Management practices. For example, the procedures refer to maintaining a Known-Errors database (KEDB). However, this is not an active Problem Management process. There is a risk that Problem Management processes are not established effectively and implemented consistently. This could result in process inefficiency as well as Problems not being managed effectively. There is also a risk that, without a Known-Errors Database, ICT staff may develop their own workarounds when one has already been devised. We recommend that the draft Problem Management procedures should be reviewed, approved and implemented within ICT. Procedures should detail how problems should be: identified, recorded, classified, updated, escalated, resolved and formally closed. Management should also implement and maintain a Known-Errors Database. This should be accessible to all personnel involved in Problem Management activities and be used as a key reference point in resolving Incidents and Problems. Recommendation accepted. Problem management policy and process has been approved and is now in place and working. The development of the Known Error database is a target for Problem Management, however until the Lifetime Process team is fully recruited it is not practical to implement (support, implement, maintain). The KEDB facility is supported in the current Service Management tool. To ensure the success of a KEDB we must be able to ensure that the information is kept up to date, of an acceptable quality and appropriate for the audience, as well as accessible to the user base without impacting system performance. To be actioned by: Head of Service Management/Lifetime Process Manager No later than: Problem Management Process embedded End December KEDB (December 2018 subject to Team being in place by end December 2017) Priority 3 14 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

23 6 Control objective: Change management. Observation and Risk Recommendation Management Response 6.1 Rollback plans ICT has developed detailed formal change management processes which are applied for all changes to the technology environment. There are two Change Advisory Boards (CAB) each week. The Tuesday CAB considers all changes except for those relating to C3, which has a separate CAB that convenes each Friday. All changes require a Request for Change (RFC) form to be completed. We noted that the RFC template includes a field in which change requestors can describe the rollback procedures should changes fail during implementation. However, from our review of a sample of RFCs, we found that the rollback processes were vague with limited detail included. As a result, there was significant reliance on staff being able to interpret the roll back processes or use their own knowledge. We were also informed that there have been instances in which rollback processes could not be invoked. In these instances, the Duty Manager/ Change Manager is required to work with the change-requestor in order to reverse the change. There is a risk that, by not detailing rollback processes within change requests, ICT will not be able to rollback systems effectively and efficiently in the event of the change failing. This could result in business disruption as a result of unavailability. We recommend that all RFCs include detailed rollback procedures, particularly for complex/high risk changes which, if they failed, could impact on availability and/or performance of applications or the network. As part of the change approval process, the CAB should ensure that each RFC contains sufficient detail on the rollback processes, should changes fail during implementation. Recommendation accepted. Since completion of this audit, there has been an increased focus and challenge at the Change Advisory Board on quality and completeness of rollback plans to ensure they are sufficient. Additionally, further improvements to the already robust and established process are being implemented. The Lifetime Process Manager will ensure that detailed rollback procedures are in place for all Complex/High changes and challenge as appropriate. To be actioned by: Head of Service Management/Lifetime Process Manager No later than: 30 September 2017 Priority 3 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 15

24 7 Control objective: Planning for new service provision. Observation and Risk Recommendation Management Response 7.1 Project management approach As part of our audit testing, we conducted a documentation review of a small number of projects to identify the extent to which project documentation was in place. Our testing found that projects are not being managed in a consistent manner. Reference was made to PRINCE2 as being the basis of project management. However, formal criteria is not in place which defines how PRINCE2 is applied to individual projects (e.g. according to scale, complexity, timescale for delivery). As part of the project methodology, key documentation, including business cases and project plans are required. However, we found that these are not prepared for all projects. There is a risk that projects are not managed effectively and efficiently. This may result in an increased risk of projects failing to achieve stated deliverables in line with agreed timescales and budgets. We recommend that formal criteria is defined which sets out which aspects of the PRINCE2 project management methodology (and documentation requirements) are to be applied to individual projects. Business cases and project plans should be required for all projects. We recommend that there are quality assurance processes implemented which enable management to confirm that the project management methodology has been implemented consistently. Recommendation accepted. ICT will liaise with Organisational Development and the Programme Management Office to ensure consistency of project management approach and that standards and processes are in place and adhered to. This is a key piece of work already identified as necessary by the Head of Service Delivery. The recent appointment of ICT Portfolio Manager will allow ICT to develop and implement the required PM standards (where PRINCE2 will be considered) and framework to ensure best practice and drive up standards of PM control of delivery. These standards will be fully documented. To be actioned by: Head of Service Delivery No later than: December 2017 Priority 3 16 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

25 8 Control objective: Budgeting and accounting. Observation and Risk Recommendation Management Response 8.1 Detailed core budget and control ICT prepares two budgets: a core budget, which covers standard expenditure incurred by the ICT function; and a capital budget for strategic expenditure. We found that detailed breakdowns for expected costs are not provided for the core budget. For example, for the Airwave system, a general budget line is recorded for IT Maintenance We also noted from our discussions with ICT management that reports provided by Finance are not subject to detailed review. There is a risk that, if budgets do not contain sufficient detail or if reports provided by management are not subject to regular detailed scrutiny, management may not be able to take appropriate action to manage costs effectively. This could also result in opportunities being missed to rationalise costs. We recommend that ICT management enhance the transparency of core budget expenditure. This should include more detailed breakdown either in the budget itself or in supporting schedules, of core ICT costs. For example, areas such as IT Licences and Subscriptions could include details on specific items of spend. This would provide improved ability to monitor expenditure incurred. We also recommend that monthly financial reports are reviewed in detail by ICT management. This should include close scrutiny of all costs to identify any variances with actions developed at an early stage to control any over-spends. Recommendation accepted. Individual management reports are available and are reviewed monthly with each of the heads of that are responsible for their devolved budget. A detailed breakdown of costs is now available from the Finance department. Additionally weekly meetings are in place between Head of Service Management and Finance Business Partner, and monthly meetings arranged between principle accountant and Director of ICT. To be actioned by: Head of Service Management/Principal Accountant No later than: 31 December 2017 Priority 3 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 17

26 9 Control objective: Information security management. Observation and Risk Recommendation Management Response 9.1 Information Security Policy Our audit found that both the Information Security Policy and the Standard Operating Procedure (SOP) have not been reviewed since February Both the policy and the operating procedure were expected to be reviewed in We highlighted this issue in our Data Management audit in 2016 and it was stated that this would be addressed by 31 December There is a risk that the Policy and SOP are no longer aligned to recognised good information security practices. This may result in staff practices not applying good security practices as part of core business processes. We recommend that both the Information Security Policy and Standard Operating Procedure are updated. Once this is completed, they should be published and all staff requested to confirm that they have received, read and understood them. In reviewing the Policy and SOP, management will need to take into consideration the requirements of the EU General Data Protection Regulation which comes into effect in May Recommendation accepted. (This is not owned by ICT however, the Head of Service Management will work with the Head of Corporate Governance to ensure that this is updated). The Information Security Policy is currently being reviewed and is in draft. This action is being undertaken by the Head of Corporate Governance. Progression of this recommendation will be monitored by the Head of Service Management To be actioned by: Head of Corporate Governance No later than: December 2017 Priority 3 18 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

27 Observation and Risk Recommendation Management Response 9.2 Security control documentation The Technical Assurance team is in the process of identifying, reviewing and documenting technical security controls that are in operation. This has been completed for several areas, including web and mail filtering. As part of the process, controls currently in operation are being reviewed to confirm that they are consistent with the Information Security Policy. At the time of our review, this process was ongoing, but no timescale for the completion of this task had been defined, and it was not clear how this activity was being project managed or how controls to be reviewed were being prioritised. There is a risk that, without full documentation of technical security controls, weaknesses are not identified and addressed. We recommend that the Technical Assurance continue to identify, review and document the technical security controls within the ICT environment. A timescale for completion of this task should be defined and, if appropriate, the process managed as a project. The initial focus of this activity should be on those areas assessed as higher risk. We recommend that any risks identified during this process and which are not fully addressed by changes to the control environment are recorded and subject to regular review. Recommendation Accepted The Technical Audit and Assurance (TAA) team has continued work on producing documentation on technical security controls, including the production of logical Cyber topology schematics. The documented areas covered to date reflect the areas of highest risk such as Internet connectivity, , client-side hardening and endpoint security. The TAA team is engaged on a number of fronts and are prioritising time critical security developments and initiatives that provide the greatest return for the investment of time and resources that are currently available to us. The documentation of security controls features heavily in the delivery timelines across a number of pieces of work, including the delivery of our virtual SOC and on our technical risk management framework. The former relies on the documentation for incident response and security posture reports, the latter requires the documentation to be in place to ensure the accuracy of the calculation itself. To be actioned by: Head of Service Management/ Technical Audit and Assurance Manager No later than: 31 March 2018 Priority 2 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 19

28 10 Control objective: Business relationship management. Observation and Risk Recommendation Management Response 10.1 Service review meetings Our audit found that ICT service reviews are primarily undertaken through senior management meetings. At the time of our audit, whilst noting that there were established processes for service reviews, these were not in place across all customers. This was due to resourcing pressures. The Service Delivery team has recently increased its resourcing levels and it is anticipated that service review meetings will be held with all relevant customers in due course. An expected benefit from the increased resource within the Service Delivery team is an increasingly proactive approach towards business relationship management. There is a risk that, without performing service review meetings for all relevant customers, performance issues and/or emerging issues will not be identified and addressed on a timely and regular basis. We recommend that service reviews are conducted for all ICT customers. Issues that are identified during the service review process should be recorded and assessed and improvements should made as required (subject to the change management process). To assess the effectiveness of these meetings, management should conduct a survey of customers to identify their perception. Partially accepted. Staff from the Service Delivery function attend a number of boards chaired by senior officers and staff, where ICT Service is discussed. Reports are produced specific to their area. A separate Service review is not conducted. However, consideration for the best way forward in this regards will be discussed with our customer base and the appropriate action taken thereafter. We will develop and publish a matrix of all customer reporting. This will include meetings, attendees, purpose, frequency and IT reporting format. To be actioned by: Head of Service Delivery No later than: End October 2017 Priority 2 20 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

29 Observation and Risk Recommendation Management Response 10.2 Complaints and compliments Our audit found that the ICT function does not have a formal complaints policy and procedure in place. The process for raising complaints is currently informal and dependent on local knowledge rather than established procedure. Currently, complaints can be raised with ICT Leads or through monthly command meetings. There is a risk that service users are not aware of the complaint-raising process and that ICT are not made aware of issues impacting user experience. We recommend that a complaints policy and procedure is developed and implemented, possibly as part of the SLA. The policy and procedure should clearly define the process for raising a complaint, the process to be followed to investigate it, when a response can be expected and how these can be escalated should the customer not be satisfied with the outcome. In addition, it would be beneficial to maintain a record of complaints to support trend analysis and continuous service improvement. Recommendation accepted. ICT will establish a formal complaints process. This process will clearly define the mechanism for raising a complaint, when a response might be expected and escalation routes. However, consideration must be given for processes already in place throughout Police Scotland where complaints can be raised to Professional Standards. To be actioned by: Head of Service Delivery No later than: End of October 2017 Priority 3 scott-moncrieff.com Scottish Police Authority ICT Service Delivery 21

30 11 Control objective: Supplier management. Observation and Risk Recommendation Management Response 11.1 Supplier engagement documentation Our audit found that there is a defined process within ICT to manage suppliers. As part of our audit testing, we found that the terms of engagement for Virgin Media were due to be reviewed in January However, this has not occurred. The terms of engagement provides details such as who can approve telecoms devices, the escalation process (for both Virgin Media and Police Scotland), key requirements etc. We recommend that ICT ensure that all relevant documents relating to the management of suppliers is reviewed on a regular basis. Recommendation accepted. All documents that relate to this will be updated and will be reviewed annually as part of the documentation review process. To be actioned by: Head of Service Management No later than: 31 December 2017 Without reviewing documentation relating to the management of individual suppliers, there is a risk that suppliers will not be managed in line with the needs of the organisation. Priority 2 22 Scottish Police Authority ICT Service Delivery scott-moncrieff.com

31 12 Control objective: Service Reporting. Our work identified no significant issues in relation to this control objective. Our high-level audit work noted that there are a number of reports produced by ICT, including the quarterly corporate report. Through this report, ICT provides updates on resourcing, departmental updates, significant risks faced by ICT and the organisation as well as the latest position on projects, performance and incidents. ICT also provides monthly dashboard reports that provide updates on the progress of ICT projects. These provide details on areas such as resource utilisation and expenditure. Reports are also produced for customers and include details such as Strategic ICT Developments, Portfolio Summary (update on customer projects), Operational Highlights as well as Incidents and Requests. 13 Key control objective: Incident management. Our work identified no significant issues in relation to this control objective. We identified that there is a dedicated team of 23 analysts across Edinburgh and Glasgow who are responsible for managing the Incident lifecycle. This includes initial logging of the incident through to its resolution. There are documented Incident Management procedures which the team use as a reference point for management of incidents. For critical incidents (e.g. priority 1 or 2 incidents), there are additional procedures in place. For critical business applications, priority levels will be automatically established by the incident management system (e.g. if an incident relates to the C3 system, it is automatically assigned as a P1 incident). When a critical incident occurs, a service-update notice is added to the IT Connect Online portal page. This informs service users that the incident management team is aware of the incident. Whilst the notice is primarily used for critical incidents, it is also used in the event of repeat low-priority incidents being raised by service users. scott-moncrieff.com Scottish Police Authority ICT Service Delivery 23

32

33 Scott-Moncrieff Chartered Accountants All rights reserved. Scott-Moncrieff refers to Scott-Moncrieff Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of independent firms. Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of investment business activities by the Institute of Chartered Accountants of Scotland.