Medium Term ICT Strategy
The Organization undertook a review of its ICT Strategy, streamlining the document and updating and addressing the following topic areas:
• The Business Capability Model of the Organization and related Enterprise Architecture implications
• IT Risk Management
• Information Security.
ICT Governance
The recently established Architecture Review Board, whose membership cut across all Bureaus, the Project Management Group as well as Application Management Governance group met regularly throughout the year to approve ICT programme initiatives and help ensure that ICT projects were aligned with the business and strategic needs of the Organization.
Scheduled meetings took place through 2020 to drive ICT governance. ICT programme initiatives were presented to align with the business and strategic needs of the Organization.
Since July 2020, the Secretariat has embarked on regular meetings to start the process of analysing all areas of ICT that need attention. These can be split into the following areas:
a) A comprehensive review of the ICT Strategy document, including a strengths, weaknesses, opportunities and threats (SWOT) analysis of ICT sections, the review of the ICT Service Catalogue and identifying the areas needing improvement, staff skills needing to be addressed and Governance.
b) Areas being considered for potential outsourcing are service desk operations, application development, servers and infrastructure management, network management, project management, and business analysis.
c) A tender is to be issued for an independent consultancy to review the existing ICT organization and the ICT Change Programme, to propose a new organigram aligned with ICAO’s needs and to propose the services most cost-effective to be outsourced.
d) The timelines and cost involved for ICT services or outsourced services will be reviewed once the independent review is finalized.
Information Security
ICAO had implemented its first Information Security Roadmap for 2020-2022. Some of the major actions completed in 2020 include comprehensive penetration testing, vulnerability audit, operational framework review, and the promulgation of five Administrative Instructions related to Information Security at ICAO through the revived Information Security Management Group (ISMG) that met a few times during 2020. Security awareness training was also rolled out to all ICAO staff and personnel in December 2020. ICAO Headquarters and Regional Offices were mapped in the scheduled and automated vulnerability assessment. All known vulnerabilities were tracked in a register, and continuous fixing was done by both HQ IT and RO IT.
An Incident management framework was developed which included an Information Security Incident Management programme, including the associated Administrative Instructions; Information Security Incident Response Plan including detailed instructions and information to engage with third-party Managed Security Service Providers (MSSP).
For the year 2020, some 120 incidents were recorded and classified by ICAO information security as critical (23), high (47), medium (48), and low (2). All critical incidents received immediate response and intervention, following which half have been satisfactorily resolved and closed. The remaining are being analysed and treated with priority.