[kictanet] ICT Authority, not Treasury, should oversee IFMIS
waudo siganga
emailsignet at mailcan.com
Thu Jan 19 12:01:53 EAT 2017
Thank Walu. I'll wait fro the coffee...
W.
On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote:
> @Daktari Siganga,
>
> I was the ICT Director for our university for 5yrs and managed both
> the University Network & ERP - but I dont say :-)
>
> We switch between the classroom and ICT operations like that. So I
> kinda have both the academic and practical view of these things
>
> Anyway, you are right in that the IT expert(Superuser) should NOT be
> a normal 'Finance' /'HR'/Procurement/ or other regualr user of the
> ERP. However, the IT guys still assign these roles and privileges to
> the various functional users. i.e. they must grant rights to the
> Finance/HR/ and other Directors to execute their work within the ERP.
>
> Different implementations (company policy) maybe that this is
> delegated to the various functional heads who can then subsequently
> grant privileges/access rights down through their departments.
>
> But this is NOT ideal since you lose the segregation of duties where
> you want the Functional heads(e.g. Finance Director) to make the access-
> rights requests IN WRITING, and have SOMEONE ELSE implement that
> request.
>
> This is the 'control' auditors are looking for when auditing the
> information system later on - in terms of checks and balances. Such a
> control is what leads to the questions like:-
> a) Who within the ERP system has privileges that were not formally
> requested for in writing? Or
> b) Who within the ERP system has more privileges than what was
> formally requested for?
> c) Who within the ERP exists but has no supporting access request from
> the Functional head?
> d) etc, etc.
>
> Even if the IT expert abused his/her superuser privileges by granting
> themselves some user rights within the Financial module, they will be
> outed by the above audit process.
>
> Denying the IT expert the ability to grant access rights within the
> ERP and passing the same to the functional heads does not solve the
> problem of abuse. The functional heads can simply become the new
> kingpins. Only segregation of duty cures the problem of abuse.
>
> But we can meet over coffee and share the pros and cons of the various
> implementations :-)
>
> walu.
>
>
>
> From: waudo siganga <emailsignet at mailcan.com> To: Walubengo J
> <jwalu at yahoo.com>; KICTAnet ICT Policy Discussions
> <kictanet at lists.kictanet.or.ke> Sent: Thursday, January 19, 2017
> 10:36 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should
> oversee IFMIS
>
> Hi Walu - I can see from your comments that you have never worked in a
> finance environment. For secure setup there is no way "IT guys must
> then translate x, y & z function into the appropriate access levels
> for that accountant within the system". Simply put a person who is a
> trained IT expert knows too much about how the system works and
> therefore cannot be assigned access administration. The overall person
> for access admin is a "super-user" or "Chief Security Officer"or a
> title in that direction. This super user assigns access rights to
> users, such as ability to add,delete, update, edit, view, etc records.
> To assign these rights in practically all IT systems the super user
> must himself have those same rights, otherwise he/she cannot assign
> them to other users. A system where a super-user is an IT expert is a
> very weak system. The IT expert should never have ability to enter a
> system and change records. If you analyse the IFMIS problem you will
> realise that it is not a problem of IT experts infiltrating the
> system. It is just password misuse by ordinary users. At least I agree
> with you on one thing - IT expertise role and password administration
> must never be put in the same office. In most banks and finance
> environments the super-user function is undertaken by the CEO or a
> very senior executive who is OUTSIDE the IT function.
>
> THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT
> system, are the weakest link. It is like having pilots who are busy
> with corruption to fly a plane then when the plane crashes we say
> there was a problem with the plane.
>
> W.
>
> On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:
>> @Dr Siganga, my comments below:
>>
>> >>1. Hi Walu - I do not agree with you that access administration
>> >> (passwords) is a technical function. In most cases passwords
>> >> just mimic authorization structures that pre-exist in a manual
>> >> system.
>> >>>
>> Response:Yes and NO.
>> Yes passwords and their access levels are controls that mimic the
>> authorization levels of the manual system. However, their
>> implementation in an ideal environment should be segregated. E.g
>> the finance director should say in writing: 'I need my accountant to
>> do x, y & z function' . The IT guys must then translate x, y & z
>> function into the appropriate access levels for that accountant
>> within the system.
>>
>> Finance retains the administrative oversight in terms of triggering
>> the password request and profiling the access levels desired. IT
>> retains the technical function of implementing the same. Never put
>> these two roles in one office. Shida mingi inajiletea.
>>
>> >>2. I also differ with your suggestion that it is the work of
>> >> technical people to enforce, check or review system controls.
>> >> That should be the function of an independent auditor.
>> >>
>> RESPONSE: Yes and NO.
>> Yes, independent or external auditors (hopefully Information System
>> Auditors) do review the technical controls. But this is often an
>> annual exercise. So serious organisation do not wait for a year to
>> be told their controls were not effective. They have INTERNAL
>> information system auditors (who are technical) to continuously
>> monitor/enforce that these IT controls are in place, working and/or
>> need to be updated. Other organisation may allocate this role to
>> the Information Security Officer, either way these are ICT
>> technical chaps.
>>
>> walu.
>>
>>
>>
>> From: waudo siganga <emailsignet at mailcan.com> To: Walubengo J
>> <jwalu at yahoo.com>; KICTAnet ICT Policy Discussions
>> <kictanet at lists.kictanet.or.ke> Sent: Wednesday, January 18, 2017
>> 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should
>> oversee IFMIS
>>
>> Hi Walu - I do not agree with you that access administration
>> (passwords) is a technical function. In most cases passwords just
>> mimic authorization structures that pre-exist in a manual system. It
>> is very important that the access of technical people to a system,
>> especially a financial one, be as inhibited as possible. Those who
>> access the system should only be capable of doing the functions they
>> would perform in a manual system. To enhance security of the system,
>> access administration should be overseen by a most senior person who
>> is NOT trained to do technical work on the system.
>>
>> I also differ with your suggestion that it is the work of technical
>> people to enforce, check or review system controls. That should be
>> the function of an independent auditor.
>>
>> Overall I think there is much misunderstanding about IFMIS. The
>> problem is not technical; it is administrative. Specifically access
>> administration (passwords).
>>
>> W.
>>
>> On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:
>>> Grace B via kictanet <kictanet at lists.kictanet.or.ke> wrote>>>
>>> Second, the problem with IFMIS, it appears is a lack of commitment
>>> to simple values such as integrity and prudent stewardship of public
>>> funds. What guarantee wold we have that ICTA would be different from
>>> Treasury?
>>>
>>> >>
>>> Segregation of duties solves this. Treasury continues being the
>>> Process owner, but surrenders the Technical leadership of the
>>> system/ERP to ICT Authority. So if it is a case of passwords and
>>> their use, expiry amongst other technical issues, we know it is ICT
>>> Authority to manage (and take blame).
>>>
>>> It is often a confusing and thin line. The line between
>>> Administrative and Technical authority.
>>>
>>> But you can look at it in terms of the President's Security detail.
>>> The President maybe the (Administrative) boss of his security
>>> detail, but the President can never tell his security detail HOW to
>>> guard him or what weapons to use or how many guards he needs, where
>>> to position them etc.
>>>
>>> These are TECHNICAL issues that the President cannot and should
>>> never pretend to be dictating on since they lie squarely within the
>>> NIS/Inspector General domain. The moment NIS start taking technical
>>> instructions from the President, is the moment our security system
>>> will collapse.
>>>
>>> If we get this seperation of authority right, we solve the IFMIS
>>> puzzle.
>>>
>>> walu.
>>>
>>>
>>> From: Grace B via kictanet <kictanet at lists.kictanet.or.ke> To:
>>> jwalu at yahoo.com Cc: Grace B <nmutungu at gmail.com> Sent: Wednesday,
>>> January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not
>>> Treasury, should oversee IFMIS
>>>
>>> Interesting discussion. There are those who would look at IFMIS as
>>> a public finance management issue as opposed to an ICT one but this
>>> is not really count when giving management mandate to either
>>> Treasury or ICTA as long as the objectives of PFM (Article 201 of
>>> Katiba) are met.
>>> One of the issues voiced about IFMIS since devolution/new
>>> Constitution has been the problems experienced by county governments
>>> and other independent organs eg commissions in accessing funds in a
>>> timely manner. (We assume that Executive has not had too many
>>> problems assessing funds and may have indeed been facilitating
>>> leakage)
>>> One issue with transferring the responsibility of maintaining IFMIS
>>> to ICTA, it seems would be that there could be few differences
>>> between ICTA and Treasury. First, both are Executive institutions
>>> that may support devolved and independent structures in line with
>>> the soft policy direction of the government of the day. Second, the
>>> problem with IFMIS, it appears is a lack of commitment to simple
>>> values such as integrity and prudent stewardship of public funds.
>>> What guarantee wold we have that ICTA would be different from
>>> Treasury?
>>>
>>> Regards
>>>
>>> 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet
>>> <kictanet at lists.kictanet.or.ke>:
>>>> Barrack
>>>>
>>>> We are saying the same thing really.. Let's assume that the ICTA is
>>>> the ICT Department of the Government (which I doubt it is equipped
>>>> to execute that mandate) then 'managing' here really means
>>>> providing support to the system.
>>>>
>>>> I think it's time the Government considers the role of Chief
>>>> Information Officer to really manage the strategic thrust of all
>>>> ICT initiatives across ministries. The CIO can then be held
>>>> accountable for overall efficiency and security of all Government
>>>> ICT Systems. This CIO needs to report directly to the Chief
>>>> Executive Officer (President) of the country. Now, that person
>>>> could be seconded or be a part of the ICTA with a doted line
>>>> responsibility to the CS, MOICT...
>>>>
>>>> Ultimately the overall responsibility of how well our Government
>>>> ICT Systems work lies squarely on the CEO's desk. Look no further.
>>>>
>>>> Ali Hussein
>>>> Principal
>>>> Hussein & Associates
>>>> +254 0713 601113
>>>>
>>>> Twitter: @AliHKassim
>>>> Skype: abu-jomo
>>>> LinkedIn: http://ke.linkedin. com/in/alihkassim[1]
>>>> "We are what we repeatedly do. Excellence, therefore, is not an act
>>>> but a habit." ~ Aristotle
>>>>
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet
>>>> <kictanet at lists.kictanet.or.ke > wrote:
>>>>
>>>>> Hi Ali,
>>>>>
>>>>> ERP grew from MRP (Material Resource Planning which was a means of
>>>>> planning and allocating resources in Factories. The difference
>>>>> between the two is that MRP's were stand alone systems whereas
>>>>> ERP's are modular and have more functionality. From an evolution
>>>>> perspective , it would be ideal to manage IFMIS from Ministry of
>>>>> Finance since they are the custodians of the treasury and normally
>>>>> allocate resources through the budgeting process. From a Project
>>>>> Management perspective, it would be ideal to manage IFMIS from
>>>>> ICTA since it is the specialized agency meant to manage government
>>>>> technology investments.
>>>>>
>>>>> Regards
>>>>>
>>>>> On 1/17/17, S.M. Muraya via kictanet
>>>>> <kictanet at lists.kictanet.or.ke > wrote:Doubt Treasury economists
>>>>> and accountants are well placed to provide CyberSecurity :) We
>>>>> need the ICT Authority to configure enterprise wide data
>>>>> protection(limiting theft of passwords & access to IFMIS). In
>>>>> 2016, the UN ranked the UK as # 1 in providing digital services.
>>>>> https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-
>>>>> 2016[2] The Government Digital Service (GDS) is part of their
>>>>> Cabinet Office, nottheir Treasury. https://www.gov.uk/government/
>>>>> publications/govuk-pay/govuk- pay[3] Their Treasury is consulted
>>>>> about the payment system 👆🏾 the GDScontinues to build. SMM
>>>>> *"Better a patient person than a warrior, one with self-control
>>>>> than onewho takes a city." Prov 16:32* On Tue, Jan 17, 2017 at
>>>>> 9:45 PM, Ali Hussein <ali at hussein.me.ke> wrote: I fundamentally
>>>>> disagree with this assertion. First,y, the role of a CIO is to
>>>>> support the enterprise. I have neverheard in my life of an ERP
>>>>> Director. This is just adding a superfluouslayer of useless
>>>>> bureaucracy. The owner of an ERP is the business with each
>>>>> department taking ownershipof their components:- 1. Financials -
>>>>> CFO2. CRM (Commercial/marketing/sales)3. Procurement - Procurement
>>>>> which sometimes comes under Finance Etc. The CIO takes ownership
>>>>> to ensure that the company is well oiled toexecute on its mandate.
>>>>> This in my humble opinion goes beyond ERPs andtalks to aligning
>>>>> the Technology Strategy with the Business Strategy. Forexample in
>>>>> the banking sector where increasingly the more savvy banks
>>>>> aretaking a 'Platform Thinking' approach. This allows partners to
>>>>> plug intotheir core technology through APIs to enable them extend
>>>>> capabilities andhence offerings to their customers. The role of a
>>>>> CIO has fundamentally changed to speak to the need
>>>>> forusingTechnology as an accelerator to successful business
>>>>> models. Secondly, I don't see how the ICT Authority would be
>>>>> better in managingthe monster that is IFMIS. Let them first learn
>>>>> the basics ofcommunicatingeffectively with the community before
>>>>> taking on this elephant in theroom. *Ali
>>>>> Hussein**Principal**Hussein & Associates*+254 0713 601113 Twitter:
>>>>> @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/
>>>>> alihkassim[4] "We are what we repeatedly do. Excellence,
>>>>> therefore, is not an act but ahabit." ~ Aristotle Sent from my
>>>>> iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet
>>>>> <kictanet at lists.kictanet.or.ke> wrote: Interesting comments... ICT
>>>>> Authority, not Treasury, should oversee IFMIS
>>>>> http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-[5]3520560-
>>>>> 5j04aq/index.html ______________________________
>>>>> _________________kictanet mailing listkictanet at lists.kictanet.or.ke
>>>>> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[6]Twitter:
>>>>> http://twitter.com/kictanetFacebook: https://www.facebook.com/
>>>>> KICTANet/[7] Unsubscribe or change your options at
>>>>> https://lists.kictanet.or.ke/mailman/options/kictanet/info%
>>>>> 40alyhussein.com[8] The Kenya ICT Action Network (KICTANet) is a
>>>>> multi-stakeholder platformfor people and institutions interested
>>>>> and involved in ICT policy andregulation. The network aims to act
>>>>> as a catalyst for reform in the ICTsector in support of the
>>>>> national aim of ICT enabled growth anddevelopment. KICTANetiquette
>>>>> : Adhere to the same standards of acceptable behaviorsonline that
>>>>> you follow in real life: respect people's times andbandwidth,share
>>>>> knowledge, don't flame or abuse or personalize, respect privacy,
>>>>> donot spam, do not market your wares or qualifications.
>>>>>
>>>>> --
>>>>> Barrack O. Otieno +254721325277 +254733206359 Skype:
>>>>> barrack.otieno PGP ID: 0x2611D86A
>>>>>
>>>>> ______________________________ _________________ kictanet mailing
>>>>> list kictanet at lists.kictanet.or.ke https://lists.kictanet.or.ke/
>>>>> mailman/listinfo/kictanet[9] Twitter: http://twitter.com/kictanet
>>>>> Facebook: https://www.facebook.com/ KICTANet/[10]
>>>>>
>>>>> Unsubscribe or change your options at
>>>>> https://lists.kictanet.or.ke/ mailman/options/kictanet/info%
>>>>> 40alyhussein.com[11]
>>>>>
>>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>>>> platform for people and institutions interested and involved in
>>>>> ICT policy and regulation. The network aims to act as a catalyst
>>>>> for reform in the ICT sector in support of the national aim of ICT
>>>>> enabled growth and development.
>>>>>
>>>>> KICTANetiquette : Adhere to the same standards of acceptable
>>>>> behaviors online that you follow in real life: respect people's
>>>>> times and bandwidth, share knowledge, don't flame or abuse or
>>>>> personalize, respect privacy, do not spam, do not market your
>>>>> wares or qualifications.
>>>>
>>>> ______________________________ _________________ kictanet mailing
>>>> list kictanet at lists.kictanet.or.ke https://lists.kictanet.or.ke/
>>>> mailman/listinfo/kictanet[12] Twitter: http://twitter.com/kictanet
>>>> Facebook: https://www.facebook.com/ KICTANet/[13]
>>>>
>>>> Unsubscribe or change your options at
>>>> https://lists.kictanet.or.ke/ mailman/options/kictanet/
>>>> nmutungu%40gmail.com[14]
>>>>
>>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>>> platform for people and institutions interested and involved in
>>>> ICT policy and regulation. The network aims to act as a catalyst
>>>> for reform in the ICT sector in support of the national aim of ICT
>>>> enabled growth and development.
>>>>
>>>> KICTANetiquette : Adhere to the same standards of acceptable
>>>> behaviors online that you follow in real life: respect people's
>>>> times and bandwidth, share knowledge, don't flame or abuse or
>>>> personalize, respect privacy, do not spam, do not market your
>>>> wares or qualifications.
>>>
>>>
>>> --
>>> Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu
>>>
>>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>>
>>> PGP ID : 0x33A3450F
>>>
>>>
>>> _______________________________________________
>>> kictanet mailing list kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter:
>>> http://twitter.com/kictanet Facebook:
>>> https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>> platform for people and institutions interested and involved in ICT
>>> policy and regulation. The network aims to act as a catalyst for
>>> reform in the ICT sector in support of the national aim of ICT
>>> enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable
>>> behaviors online that you follow in real life: respect people's
>>> times and bandwidth, share knowledge, don't flame or abuse or
>>> personalize, respect privacy, do not spam, do not market your wares
>>> or qualifications.
>>>
>>>
>>> _________________________________________________
>>> kictanet mailing list
>>> kictanet at lists.kictanet.or.ke
>>> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>>> Twitter: http://twitter.com/kictanet
>>> Facebook: https://www.facebook.com/KICTANet/
>>>
>>> Unsubscribe or change your options at
>>> https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan.com
>>>
>>> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder
>>> platform for people and institutions interested and involved in ICT
>>> policy and regulation. The network aims to act as a catalyst for
>>> reform in the ICT sector in support of the national aim of ICT
>>> enabled growth and development.
>>>
>>> KICTANetiquette : Adhere to the same standards of acceptable
>>> behaviors online that you follow in real life: respect people's
>>> times and bandwidth, share knowledge, don't flame or abuse or
>>> personalize, respect privacy, do not spam, do not market your wares
>>> or qualifications.
>>
>>
>
>
Links:
1. http://ke.linkedin.com/in/alihkassim
2. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016
3. https://www.gov.uk/government/publications/govuk-pay/govuk-pay
4. http://ke.linkedin.com/in/alihkassim
5. http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560-
6. https://lists.kictanet.or.ke/mailman/listinfo/kictanet
7. https://www.facebook.com/KICTANet/
8. http://40alyhussein.com/
9. https://lists.kictanet.or.ke/mailman/listinfo/kictanet
10. https://www.facebook.com/KICTANet/
11. https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com
12. https://lists.kictanet.or.ke/mailman/listinfo/kictanet
13. https://www.facebook.com/KICTANet/
14. https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20170119/f8335943/attachment.htm>
More information about the KICTANet
mailing list