[kictanet] ICT Authority, not Treasury, should oversee IFMIS

Victor Kapiyo vkapiyo at gmail.com
Thu Jan 19 10:43:40 EAT 2017


True. The users are the weakest link. We therefore must invest in building
integrity in not only systems but mostly the people who run them and
ensuring sufficient checks and balances, and more so stiff sanctions for
misuse or abuse of authority where public resources are concerned.

Victor

On 19 Jan 2017 10:39, "waudo siganga via kictanet" <
kictanet at lists.kictanet.or.ke> wrote:

> Hi Walu - I can see from your comments that you have never worked in a
> finance environment. For secure setup there is no way "IT guys must then
> translate x, y & z function into the appropriate access levels for that
> accountant within the system". Simply put a person who is a trained IT
> expert knows too much about how the system works and therefore cannot be
> assigned access administration. The overall person for access admin is a
> "super-user" or "Chief Security Officer"or a title in that direction. This
> super user assigns access rights to users, such as ability to add,delete,
> update, edit, view, etc records. To assign these rights in practically all
> IT systems the super user must himself have those same rights, otherwise
> he/she cannot assign them to other users. A system where a super-user is an
> IT expert is a very weak system. The IT expert should never have ability to
> enter a system and change records. If you analyse the IFMIS problem you
> will realise that it is not a problem of IT experts infiltrating the
> system. It is just password misuse by ordinary users. At least I agree with
> you on one thing - IT expertise role and password administration must never
> be put in the same office. In most banks and finance environments the
> super-user function is undertaken by the CEO or a very senior executive who
> is OUTSIDE the IT function.
>
> THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system,
> are the weakest link. It is like having pilots who are busy with corruption
> to fly a plane then when the plane crashes we say there was a problem with
> the plane.
>
> W.
>
> On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:
>
> @Dr Siganga, my comments below:
>
> >>1. Hi Walu - I do not agree with you that access administration
> (passwords) is a technical function. In most cases passwords just mimic
> authorization structures that pre-exist in a manual system.
> >>>
> Response:Yes and NO.
> Yes passwords and their access levels are controls that mimic the
> authorization levels of the manual system. However, their implementation in
> an ideal environment should be segregated.   E.g the finance director
> should say in writing: 'I need my accountant to do x, y & z function' .
> The IT guys must then translate x, y & z function into the appropriate
> access levels for that accountant within the system.
>
> Finance retains the administrative oversight in terms of triggering the
> password request and profiling the access levels desired. IT retains the
> technical function of implementing the same. Never put these two roles in
> one office. Shida mingi inajiletea.
>
> >>2. I also differ with your suggestion that it is the work of technical
> people to enforce, check or review system controls. That should be the
> function of an independent auditor.
> >>
> RESPONSE: Yes and NO.
> Yes, independent or external auditors (hopefully Information System
> Auditors) do review the  technical controls. But this is often an annual
> exercise. So serious organisation do not wait for a year to be told their
> controls were not effective. They have INTERNAL information system auditors
> (who are technical) to continuously  monitor/enforce that these IT controls
> are in place, working and/or need to be updated. Other organisation may
> allocate this role to the Information Security Officer, either way these
> are ICT technical chaps.
>
> walu.
>
>
>
> ------------------------------
> From: waudo siganga <emailsignet at mailcan.com>
> To: Walubengo J <jwalu at yahoo.com>; KICTAnet ICT Policy Discussions <
> kictanet at lists.kictanet.or.ke>
> Sent: Wednesday, January 18, 2017 1:55 PM
> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS
>
> Hi Walu - I do not agree with you that access administration (passwords)
> is a technical function. In most cases passwords just mimic authorization
> structures that pre-exist in a manual system. It is very important that the
> access of technical people to a system, especially a financial one, be as
> inhibited as possible. Those who access the system should only be capable
> of doing the functions they would perform in a manual system. To enhance
> security of the system, access administration should be overseen by a most
> senior person who is NOT trained to do technical work on the system.
>
> I also differ with your suggestion that it is the work of technical people
> to enforce, check or review system controls. That should be the function of
> an independent auditor.
>
> Overall I think there is much misunderstanding about IFMIS. The problem is
> not technical; it is administrative. Specifically access administration
> (passwords).
>
> W.
>
> On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:
>
> Grace B via kictanet <kictanet at lists.kictanet.or.ke> wrote>>>
> Second, the problem with IFMIS, it appears is a lack of commitment to
> simple values such as integrity and prudent stewardship of public funds.
> What guarantee wold we have that ICTA would be different from Treasury?
>
> >>
> Segregation of duties solves this.  Treasury continues being the Process
> owner, but surrenders the Technical leadership of the system/ERP to ICT
> Authority. So if it is a case of passwords and their use, expiry amongst
> other technical issues, we know it is ICT Authority to manage (and take
> blame).
>
> It is often a confusing and thin line. The line between Administrative and
> Technical authority.
>
> But you can look at it in terms of the President's Security detail.   The
> President maybe the (Administrative) boss of his security detail, but the
> President can never tell his security detail HOW to guard him or what
> weapons to use or how many guards he needs, where to position them etc.
>
> These are TECHNICAL issues that the President cannot and should never
> pretend to be dictating on since they lie squarely within the NIS/Inspector
> General domain. The moment NIS start taking technical instructions from the
> President, is the moment our security system will collapse.
>
> If we get this seperation of authority right, we solve the IFMIS puzzle.
>
> walu.
>
>
> ------------------------------
> From: Grace B via kictanet <kictanet at lists.kictanet.or.ke>
> To: jwalu at yahoo.com
> Cc: Grace B <nmutungu at gmail.com>
> Sent: Wednesday, January 18, 2017 7:11 AM
> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS
>
> Interesting discussion. There are those who would look at IFMIS as a
> public finance management issue as opposed to an ICT one but this is not
> really count when giving management mandate to either Treasury or ICTA as
> long as the objectives of PFM (Article 201 of Katiba) are met.
> One of the issues voiced about IFMIS since devolution/new Constitution has
> been the problems experienced by county governments and other independent
> organs eg commissions in accessing funds in a timely manner. (We assume
> that Executive has not had too many problems assessing funds and may have
> indeed been facilitating leakage)
> One issue with transferring the responsibility of maintaining IFMIS to
> ICTA, it seems would be that there could be few differences between ICTA
> and Treasury. First, both are Executive institutions that may support
> devolved and independent structures in line with the soft policy direction
> of the government of the day. Second, the problem with IFMIS, it appears is
> a lack of commitment to simple values such as integrity and prudent
> stewardship of public funds. What guarantee wold we have that ICTA would be
> different from Treasury?
>
> Regards
>
> 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <
> kictanet at lists.kictanet.or.ke>:
>
> Barrack
>
> We are saying the same thing really.. Let's assume that the ICTA is the
> ICT Department of the Government (which I doubt it is equipped to execute
> that mandate) then 'managing' here really means providing support to the
> system.
>
> I think it's time the Government considers the role of Chief Information
> Officer to really manage the strategic thrust of all ICT initiatives across
> ministries. The CIO can then be held accountable for overall efficiency and
> security of all Government ICT Systems. This CIO needs to report directly
> to the Chief Executive Officer (President) of the country. Now, that person
> could be seconded or be a part of the ICTA with a doted line responsibility
> to the CS, MOICT...
>
> Ultimately the overall responsibility of how well our Government ICT
> Systems work lies squarely on the CEO's desk. Look no further.
>
> Ali Hussein
> Principal
> Hussein & Associates
> +254 0713 601113
>
> Twitter: @AliHKassim
> Skype: abu-jomo
> LinkedIn: http://ke.linkedin. com/in/alihkassim
> <http://ke.linkedin.com/in/alihkassim>
> "We are what we repeatedly do. Excellence, therefore, is not an act but a
> habit."  ~ Aristotle
>
>
> Sent from my iPad
>
> On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <
> kictanet at lists.kictanet.or.ke > wrote:
>
>
> Hi Ali,
>
> ERP grew from MRP (Material Resource Planning which was a means of
> planning and allocating resources in Factories. The difference between
> the two is that MRP's were stand alone systems whereas ERP's are
> modular and have more functionality. From an evolution perspective ,
> it would be ideal to manage IFMIS from Ministry of Finance since they
> are the custodians of the treasury and normally allocate resources
> through the budgeting process. From a Project Management perspective,
> it would be ideal to manage IFMIS from ICTA since it is the
> specialized agency meant to manage government technology investments.
>
> Regards
>
> On 1/17/17, S.M. Muraya via kictanet <kictanet at lists.kictanet.or.ke >
> wrote:
>
> Doubt Treasury economists and accountants are well placed to provide Cyber
>
> Security :)
>
>
>
> We need the ICT Authority to configure enterprise wide data protection
>
> (limiting theft of passwords & access to IFMIS).
>
>
>
> In 2016, the UN ranked the UK as # 1 in providing digital services.
>
>
>
> https://publicadministration. un.org/egovkb/en-us/Reports/
> UN-E-Government-Survey-2016
> <https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016>
>
>
>
> The Government Digital Service (GDS) is part of their Cabinet Office, not
>
> their Treasury.
>
>
>
> https://www.gov.uk/government/ publications/govuk-pay/govuk- pay
> <https://www.gov.uk/government/publications/govuk-pay/govuk-pay>
>
>
>
> Their Treasury is consulted about the payment system  👆🏾  the GDS
>
> continues to build.
>
>
>
>
>
>
>
>
>
> SMM
>
>
>
> *"Better a patient person than a warrior, one with self-control than one
>
> who takes a city." Prov 16:32*
>
>
>
> On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali at hussein.me.ke> wrote:
>
>
>
> I fundamentally disagree with this assertion.
>
>
>
> First,y, the role of a CIO is to support the enterprise. I have never
>
> heard in my life of an ERP Director. This is just adding a superfluous
>
> layer of useless bureaucracy.
>
>
>
> The owner of an ERP is the business with each department taking ownership
>
> of their components:-
>
>
>
> 1. Financials - CFO
>
> 2. CRM (Commercial/marketing/sales)
>
> 3. Procurement - Procurement which sometimes comes under Finance
>
>
>
> Etc.
>
>
>
> The CIO takes ownership to ensure that the company is well oiled to
>
> execute on its mandate. This in my humble opinion goes beyond ERPs and
>
> talks to aligning the Technology Strategy with the Business Strategy. For
>
> example in the banking sector where increasingly the more savvy banks are
>
> taking a 'Platform Thinking' approach. This allows partners to plug into
>
> their core technology through APIs to enable them extend capabilities and
>
> hence offerings to their customers.
>
>
>
> The role of a CIO has fundamentally changed to speak to the need for
>
> using
>
> Technology as an accelerator to successful business models.
>
>
>
> Secondly, I don't see how the ICT Authority would be better in managing
>
> the monster that is IFMIS. Let them first learn the basics of
>
> communicating
>
> effectively with the community before taking on this elephant in the
>
> room.
>
>
>
> *Ali Hussein*
>
> *Principal*
>
> *Hussein & Associates*
>
> +254 0713 601113
>
>
>
> Twitter: @AliHKassim
>
>
>
> Skype: abu-jomo
>
>
>
> LinkedIn: http://ke.linkedin.com/in/ alihkassim
> <http://ke.linkedin.com/in/alihkassim>
>
>
>
> "We are what we repeatedly do. Excellence, therefore, is not an act but a
>
> habit."  ~ Aristotle
>
>
>
>
>
> Sent from my iPad
>
>
>
> On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <
>
> kictanet at lists.kictanet.or.ke> wrote:
>
>
>
> Interesting comments...
>
>
>
> ICT Authority, not Treasury, should oversee IFMIS
>
>
>
> http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-
> <http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560->
>
> 3520560-5j04aq/index.html
>
>
>
> ______________________________ _________________
>
> kictanet mailing list
>
> kictanet at lists.kictanet.or.ke
>
> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
>
> Twitter: http://twitter.com/kictanet
>
> Facebook: https://www.facebook.com/ KICTANet/
> <https://www.facebook.com/KICTANet/>
>
>
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
>
> mailman/options/kictanet/info% 40alyhussein.com
>
>
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
>
> for people and institutions interested and involved in ICT policy and
>
> regulation. The network aims to act as a catalyst for reform in the ICT
>
> sector in support of the national aim of ICT enabled growth and
>
> development.
>
>
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
>
> online that you follow in real life: respect people's times and
>
> bandwidth,
>
> share knowledge, don't flame or abuse or personalize, respect privacy, do
>
> not spam, do not market your wares or qualifications.
>
>
>
>
>
>
>
>
>
> --
> Barrack O. Otieno
> +254721325277
> +254733206359
> Skype: barrack.otieno
> PGP ID: 0x2611D86A
>
> ______________________________ _________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/ KICTANet/
> <https://www.facebook.com/KICTANet/>
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/info% 40alyhussein.com
> <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
> ______________________________ _________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet
> <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/ KICTANet/
> <https://www.facebook.com/KICTANet/>
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/ nmutungu%40gmail.com
> <https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com>
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
>
> --
> Grace L.N. Mutung'u
> Skype: gracebomu
> Twitter: @Bomu
>
> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>
> PGP ID : 0x33A3450F
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/jwalu%40yahoo.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
> *_______________________________________________*
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/emailsignet%40mailcan.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
>
>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at https://lists.kictanet.or.ke/
> mailman/options/kictanet/vkapiyo%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170119/75cf4935/attachment.htm>


More information about the KICTANet mailing list