Audit Findings and Recommendations for Jamaica Customs Agency IT Governance and Business Continuity Management

An IT audit of Jamaica Customs Agency revealed inadequacies in IT oversight, draft IT policies, weak system settings, and absence of business continuity planning. The agency lacked an IT Steering Committee leading to misalignment of ICT strategies with organizational objectives. Furthermore, nine IT policies were not approved, risking information security. Recommendations include establishing oversight mechanisms, finalizing policies, and enhancing business continuity planning.

• Audit
• IT governance
• Business continuity management
• Jamaica Customs Agency
• Information technology

maey685 Follow

Uploaded on Nov 22, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Jamaica Customs Agency IT GOVERNANCE AND BUSINESS CONTINUITY MANAGEMENT

2. AUDIT OBJECTIVE We undertook an IT audit to determine whether the Jamaica Customs Agency (JCA) has an effective Business Continuity Management System to ensure the timely resumption of critical services in the event of any serious interruptions. We also assessed the adequacy of the JCA s Information Technology Governance and examined, on a test basis, evidence supporting compliance with relevant policies, laws and regulations applicable to the Information and Communications Technology (ICT) operations of the Agency. The review spanned the 2014/2015 to 2016/2017 financial years.

3. What we Found Inadequate IT Oversight Draft IT Policies and Weak System Settings Unstructured IT Risk Management Absence of Management Commitment to Business Continuity Planning Inadequate Business Continuity and Disaster Recovery Planning

4. Information Technology Governance STRATEGIC ALIGNMENT PERFROMANC E MEASUREMEN T VALUE DELIVERY RESOURCE MANAGEMENT IT Governance PERFORMANCE MEASUREMENT RISK MANAGEMENT

5. Inadequate IT Oversight The Information Management Unit (IMU) reported its operational performance to the executive management and Ministry of Finance and the Public Service but the Agency did not have an IT Steering Committee or equivalent to ensure the alignment of IT strategies with JCA objectives and oversight of IT service delivery and projects. As a result, the ICT Strategic Plan prepared for the 2013/14 to 2015/16 financial years was not reviewed to ensure consistency with the JCA s strategic priorities or the availability of the resources required to execute the 20 strategies planned. The ICT strategies stated in the plan were not directly aligned to Agency s strategic objectives for the respective financial years. There were also no subsequent updates to reflect the ICT strategies pursued for the 2016/17 and 2017/18 financial years.

6. Draft IT Policies and Weak System Settings The JCA developed nine IT policies, however they were not approved by management and thus not communicated to staff. Despite the JCA s reliance on its information systems and the need to ensure the confidentiality and integrity of customer data, the Agency s network server policies were insufficient to ensure information security. The details of the server policy weaknesses were excluded due to the information security risks.

7. Unstructured IT Risk Management The JCA could not demonstrate that IT risks were managed in a structured manner. The Agency was unable to provide documentary evidence that security assessments were performed for critical systems and vulnerabilities and threats relevant to its IT assets were assessed. locations or that

8. Business Continuity Management MANAGEMENT MANAGEMENT COMMITMENT COMMITMENT BC Policy,Scope & Objective MEASURE MEASURE IDENTIFY IDENTIFY Test, Train & Maintain Risk Assessment ANALYZE ANALYZE CREATE CREATE Business Impact Analysis (BIA) Strategy & Plan Development The Business Continuity Management Process

9. Absence of Management Commitment to Business Continuity Planning The Information Management Unit (IMU) and Occupational Health & Safety Unit (OH&SU) contributed to the disaster recovery and emergency management planning butthe BCP roles and responsibilities were not clearly defined. The Agency did not develop or adopt a framework to guide the approach that would be taken to plan, execute, communicate and test its Business Continuity and IT Disaster Recovery Plans. The JCA did not define its business continuity policy, objectives, scope and budget necessary to support and guide the business continuity planning process.

10. Inadequate Business Continuity and Disaster Recovery Planning JCA did not have a Business Continuity Plan The draft IT Disaster Recovery Plan (IT DRP) reviewed only related to the ASYCUDA application though daily reliance was placed on 15 legacy systems. Documentation of the plan began in November 2015 and as at its last update in April 2017, it did not identify the key contacts, critical processes, required resources (financial and non-financial) and alternate processing site(s).

11. Inadequate Business Continuity and Disaster Recovery Planning JCA recovery procedures only considers the risk of a system failure despite recording 40 events/incidents that resulted in the unavailability and slow performance of the ASYCUDA application.

12. What should be done An IT governance framework should be adopted to ensure that IT resources are directed and controlled in a manner that ensures proper risk management, performance measurement and the alignment of IT strategies with the JCA s strategic objectives. The framework should encourage the establishment of oversight committees and the development of appropriate policies, roles and responsibilities to ensure accountability and the use of IT resources to deliver value to all stakeholders. The JCA has since indicated that it will establish an ICT Strategic Committee by October 2019. Subsequent to the audit an ICT Policy Review Committee was formed resulting in the Commissioner approving seven of the mentioned policies along with four others. One policy is scheduled for approval by October 31, 2019, while another is being redrafted. Additionally, all separated staff user accounts were removed and the relevant Account Policies enabled.

13. What should be done The Information Management Unit (IMU) should develop an IT risk management framework that ensures the systematic identification, assessment and mitigation of risks to the achievement of the Agency s strategic objectives. The JCA has indicated that an appropriate standard will be identified to develop and implement an IT risk register before the end of the 2019/2020 financial year.

14. What should be done Management should adopt a framework to guide the structured development of the Agency s Business Continuity Plan (BCP) and IT Disaster Recovery Plan (IT DRP). The framework should encourage a systematic approach to identifying significant risk and critical business processes to ensure that the required resilience of the IT infrastructure is determined and appropriate strategies are employed to prevent or minimise the impact of a major disruption. The BCP and IT DRP should clearly outline the roles and responsibility of the planning team, recovery team and external service providers, key contacts, recovery procedures, alternate processing sites and key dependencies for critical systems. Plans should also be tested to ensure that recovery can be achieved in the established recovery time and manner. The JCA has since established a committee with responsibility for the Agency s business continuity planning and intends to make provisions for the BCP in its budget for the 2020/2021 financial year. The JCA has also drafted a BCP but intends to engage a consultant to assist in its business continuity and disaster recovery planning.