Doubt Treasury economists and accountants are well placed to provide Cyber Security :) We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur... The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury. https://www.gov.uk/government/publications/govuk-pay/govuk-pay Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build. SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership of their components:-

1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.

*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/alihkassim

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system. I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further. Ali Hussein Principal Hussein & Associates +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke> wrote:

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

...

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :)

We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur...

The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury.

https://www.gov.uk/government/publications/govuk-pay/govuk-pay

Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

...

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership of their components:-

1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.

*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/alihkassim

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Grace B via kictanet <kictanet@lists.kictanet.or.ke> wrote>>> Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury? 

...

Segregation of duties solves this.  Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame). It is often a confusing and thin line. The line between Administrative and Technical authority.   But you can look at it in terms of the President's Security detail.   The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.  These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse. If we get this seperation of authority right, we solve the IFMIS puzzle. walu.   From: Grace B via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?  Regards 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke>: Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.  I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further. Ali HusseinPrincipalHussein & Associates+254 0713 601113  Twitter: @AliHKassimSkype: abu-jomoLinkedIn: http://ke.linkedin. com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle Sent from my iPad On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke > wrote: Hi Ali, ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments. Regards On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :) We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016 The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury. https://www.gov.uk/government/ publications/govuk-pay/govuk- pay Their Treasury is consulted about the payment system  👆🏾  the GDS continues to build. SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy. The owner of an ERP is the business with each department taking ownership of their components:- 1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room. *Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/ alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu <http://www.diplointernetgovernance.org/profile/GraceMutungu> PGP ID : 0x33A3450F _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor. Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords). W. On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

Grace B via kictanet <kictanet@lists.kictanet.or.ke> wrote>>>

Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

It is often a confusing and thin line. The line between Administrative and Technical authority.

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

If we get this seperation of authority right, we solve the IFMIS puzzle.

walu.

From: Grace B via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

Regards

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke>:

...

Barrack

...

...

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

...

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein

...

Principal

...

Hussein & Associates

...

+254 0713 601113

...

...

Twitter: @AliHKassim

...

Skype: abu-jomo

...

LinkedIn: http://ke.linkedin. com/in/alihkassim[1]

...

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

...

Sent from my iPad

...

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke > wrote:

...

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

...

wrote:Doubt Treasury economists and accountants are well placed to

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke provide CyberSecurity :) We need the ICT Authority to configure enterprise wide data protection(limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016[2] The Government Digital Service (GDS) is part of their Cabinet Office, nottheir Treasury. https://www.gov.uk/government/ publications/govuk-pay/govuk- pay[3] Their Treasury is consulted about the payment system 👆🏾 the GDScontinues to build. SMM *"Better a patient person than a warrior, one with self-control than onewho takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have neverheard in my life of an ERP Director. This is just adding a superfluouslayer of useless bureaucracy. The owner of an ERP is the business with each department taking ownershipof their components:- 1. Financials - CFO2. CRM (Commercial/marketing/sales)3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled toexecute on its mandate. This in my humble opinion goes beyond ERPs andtalks to aligning the Technology Strategy with the Business Strategy. Forexample in the banking sector where increasingly the more savvy banks aretaking a 'Platform Thinking' approach. This allows partners to plug intotheir core technology through APIs to enable them extend capabilities andhence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need forusingTechnology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managingthe monster that is IFMIS. Let them first learn the basics ofcommunicatingeffectively with the community before taking on this elephant in theroom. *Ali Hussein**Principal**Hussein & Associates*+254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/ alihkassim[4] "We are what we repeatedly do. Excellence, therefore, is not an act but ahabit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-[5]3520560- 5j04aq/index.html ______________________________ _________________kictanet mailing listkictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[6]Twitter: http://twitter.com/kictanetFacebook: https://www.facebook.com/ KICTANet/[7] Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info% 40alyhussein.com[8] The Kenya ICT Action Network (KICTANet) is a multi- stakeholder platformfor people and institutions interested and involved in ICT policy andregulation. The network aims to act as a catalyst for reform in the ICTsector in support of the national aim of ICT enabled growth anddevelopment. KICTANetiquette : Adhere to the same standards of acceptable behaviorsonline that you follow in real life: respect people's times andbandwidth,share knowledge, don't flame or abuse or personalize, respect privacy, donot spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[9] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[10]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com[11]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[12] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[13]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com[14]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

--

Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_________________________________________________

kictanet mailing list

kictanet@lists.kictanet.or.ke

https://lists.kictanet.or.ke/mailman/listinfo/kictanet

Twitter: http://twitter.com/kictanet

Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan....

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Links: 1. http://ke.linkedin.com/in/alihkassim 2. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur... 3. https://www.gov.uk/government/publications/govuk-pay/govuk-pay 4. http://ke.linkedin.com/in/alihkassim 5. http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 6. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 7. https://www.facebook.com/KICTANet/ 8. http://40alyhussein.com/ 9. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 10. https://www.facebook.com/KICTANet/ 11. https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com 12. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 13. https://www.facebook.com/KICTANet/ 14. https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com

Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function. THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane. W. On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:

@Dr Siganga, my comments below:

...

...

1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.

...

Response:Yes and NO.

Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated. E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' . The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.

Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea.

...

...

2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

RESPONSE: Yes and NO.

Yes, independent or external auditors (hopefully Information System Auditors) do review the technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps.

walu.

From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system.

I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords).

W.

On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

...

Grace B via kictanet <kictanet@lists.kictanet.or.ke> wrote>>>

...

Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

...

It is often a confusing and thin line. The line between Administrative and Technical authority.

...

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

...

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

...

If we get this seperation of authority right, we solve the IFMIS puzzle.

...

walu.

...

...

...

From: Grace B via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

...

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

Regards

...

...

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke>:

...

Barrack

...

...

...

...

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

...

...

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

...

...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein

...

...

Principal

...

...

Hussein & Associates

...

...

+254 0713 601113

...

...

...

...

Twitter: @AliHKassim

...

...

Skype: abu-jomo

...

...

LinkedIn: http://ke.linkedin. com/in/alihkassim[1]

...

...

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

...

...

Sent from my iPad

...

...

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke > wrote:

...

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke

...

wrote:Doubt Treasury economists and accountants are well placed to provide CyberSecurity :) We need the ICT Authority to configure enterprise wide data protection(limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration. un.org/egovkb/en- us/Reports/ UN-E-Government-Survey-2016[2] The Government Digital Service (GDS) is part of their Cabinet Office, nottheir Treasury. https://www.gov.uk/government/ publications/govuk-pay/govuk- pay[3] Their Treasury is consulted about the payment system 👆🏾 the GDScontinues to build. SMM *"Better a patient person than a warrior, one with self-control than onewho takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have neverheard in my life of an ERP Director. This is just adding a superfluouslayer of useless bureaucracy. The owner of an ERP is the business with each department taking ownershipof their components:- 1. Financials - CFO2. CRM (Commercial/marketing/sales)3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled toexecute on its mandate. This in my humble opinion goes beyond ERPs andtalks to aligning the Technology Strategy with the Business Strategy. Forexample in the banking sector where increasingly the more savvy banks aretaking a 'Platform Thinking' approach. This allows partners to plug intotheir core technology through APIs to enable them extend capabilities andhence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need forusingTechnology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managingthe monster that is IFMIS. Let them first learn the basics ofcommunicatingeffectively with the community before taking on this elephant in theroom. *Ali Hussein**Principal**Hussein & Associates*+254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/ alihkassim[4] "We are what we repeatedly do. Excellence, therefore, is not an act but ahabit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-[5]3520560- 5j04aq/index.html ______________________________ _________________kictanet mailing listkictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[6]Twitter: http://twitter.com/kictanetFacebook: https://www.facebook.com/ KICTANet/[7] Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info% 40alyhussein.com[8] The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platformfor people and institutions interested and involved in ICT policy andregulation. The network aims to act as a catalyst for reform in the ICTsector in support of the national aim of ICT enabled growth anddevelopment. KICTANetiquette : Adhere to the same standards of acceptable behaviorsonline that you follow in real life: respect people's times andbandwidth,share knowledge, don't flame or abuse or personalize, respect privacy, donot spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[9] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[10]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com[11]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[12] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[13]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com[14]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

--

...

Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

...

PGP ID : 0x33A3450F

...

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_________________________________________________

...

kictanet mailing list

...

kictanet@lists.kictanet.or.ke

...

https://lists.kictanet.or.ke/mailman/listinfo/kictanet

...

Twitter: http://twitter.com/kictanet

...

Facebook: https://www.facebook.com/KICTANet/

...

...

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan....

...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

...

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Links: 1. http://ke.linkedin.com/in/alihkassim 2. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur... 3. https://www.gov.uk/government/publications/govuk-pay/govuk-pay 4. http://ke.linkedin.com/in/alihkassim 5. http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 6. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 7. https://www.facebook.com/KICTANet/ 8. http://40alyhussein.com/ 9. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 10. https://www.facebook.com/KICTANet/ 11. https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com 12. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 13. https://www.facebook.com/KICTANet/ 14. https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com

I agree with Dr. Siganga and Dr. Ndemo. The weakest link in all systems is the human side – the system users failing to follow procedures. Of course the technical aspects also require auditing and implementation of improvements to restore confidence. Regards. From: kictanet [mailto:kictanet-bounces+pmwanyika=kengen.co.ke@lists.kictanet.or.ke] On Behalf Of waudo siganga via kictanet Sent: Thursday, January 19, 2017 10:37 AM To: Peter Mwanyika <pmwanyika@kengen.co.ke> Cc: waudo siganga <emailsignet@mailcan.com> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function. THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane. W. On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote: @Dr Siganga, my comments below:

...

1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.

...

Response:Yes and NO. Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated. E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' . The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.

Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea.

...

2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

RESPONSE: Yes and NO. Yes, independent or external auditors (hopefully Information System Auditors) do review the technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps.

walu. ________________________________ From: waudo siganga <emailsignet@mailcan.com<mailto:emailsignet@mailcan.com>> To: Walubengo J <jwalu@yahoo.com<mailto:jwalu@yahoo.com>>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor. Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords). W. On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote: Grace B via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote>>> Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

It is often a confusing and thin line. The line between Administrative and Technical authority. But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc. These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse. If we get this seperation of authority right, we solve the IFMIS puzzle. walu. ________________________________ From: Grace B via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> To: jwalu@yahoo.com<mailto:jwalu@yahoo.com> Cc: Grace B <nmutungu@gmail.com<mailto:nmutungu@gmail.com>> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury? Regards 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>>: Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system. I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further. Ali Hussein Principal Hussein & Associates +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin. com/in/alihkassim<http://ke.linkedin.com/in/alihkassim> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> > wrote: Hi Ali, ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments. Regards On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> > wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :) We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016<https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016> The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury. https://www.gov.uk/government/ publications/govuk-pay/govuk- pay<https://www.gov.uk/government/publications/govuk-pay/govuk-pay> Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build. SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke<mailto:ali@hussein.me.ke>> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy. The owner of an ERP is the business with each department taking ownership of their components:- 1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room. *Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/ alihkassim<http://ke.linkedin.com/in/alihkassim> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-<http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560-> 3520560-5j04aq/index.html ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet<https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/<https://www.facebook.com/KICTANet/> Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com<http://40alyhussein.com/> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet<https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/<https://www.facebook.com/KICTANet/> Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com<https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/ mailman/listinfo/kictanet<https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/<https://www.facebook.com/KICTANet/> Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com<https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu <http://www.diplointernetgovernance.org/profile/GraceMutungu> PGP ID : 0x33A3450F _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan.... The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Thank Walu. I'll wait fro the coffee... W. On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote:

@Daktari Siganga,

I was the ICT Director for our university for 5yrs and managed both the University Network & ERP - but I dont say :-)

We switch between the classroom and ICT operations like that. So I kinda have both the academic and practical view of these things

Anyway, you are right in that the IT expert(Superuser) should NOT be a normal 'Finance' /'HR'/Procurement/ or other regualr user of the ERP. However, the IT guys still assign these roles and privileges to the various functional users. i.e. they must grant rights to the Finance/HR/ and other Directors to execute their work within the ERP.

Different implementations (company policy) maybe that this is delegated to the various functional heads who can then subsequently grant privileges/access rights down through their departments.

But this is NOT ideal since you lose the segregation of duties where you want the Functional heads(e.g. Finance Director) to make the access- rights requests IN WRITING, and have SOMEONE ELSE implement that request.

This is the 'control' auditors are looking for when auditing the information system later on - in terms of checks and balances. Such a control is what leads to the questions like:- a) Who within the ERP system has privileges that were not formally requested for in writing? Or b) Who within the ERP system has more privileges than what was formally requested for? c) Who within the ERP exists but has no supporting access request from the Functional head? d) etc, etc.

Even if the IT expert abused his/her superuser privileges by granting themselves some user rights within the Financial module, they will be outed by the above audit process.

Denying the IT expert the ability to grant access rights within the ERP and passing the same to the functional heads does not solve the problem of abuse. The functional heads can simply become the new kingpins. Only segregation of duty cures the problem of abuse.

But we can meet over coffee and share the pros and cons of the various implementations :-)

walu.

From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Thursday, January 19, 2017 10:36 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function.

THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane.

W.

On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:

...

@Dr Siganga, my comments below:

...

...

...

...

1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.

...

...

Response:Yes and NO.

...

Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated. E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' . The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.

...

Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea.

...

...

...

2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

...

RESPONSE: Yes and NO.

...

Yes, independent or external auditors (hopefully Information System Auditors) do review the technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps.

...

walu.

...

...

...

From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke> Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

...

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system.

...

I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

...

Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords).

...

W.

...

...

On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

...

...

Grace B via kictanet <kictanet@lists.kictanet.or.ke> wrote>>>

...

...

Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

...

...

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

...

...

It is often a confusing and thin line. The line between Administrative and Technical authority.

...

...

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

...

...

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

...

...

If we get this seperation of authority right, we solve the IFMIS puzzle.

...

...

walu.

...

...

...

...

...

...

From: Grace B via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

...

...

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

Regards

...

...

...

...

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke>:

...

Barrack

...

...

...

...

...

...

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

...

...

...

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

...

...

...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein

...

...

...

Principal

...

...

...

Hussein & Associates

...

...

...

+254 0713 601113

...

...

...

...

...

...

Twitter: @AliHKassim

...

...

...

Skype: abu-jomo

...

...

...

LinkedIn: http://ke.linkedin. com/in/alihkassim[1]

...

...

...

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

...

...

...

Sent from my iPad

...

...

...

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke > wrote:

...

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote:Doubt Treasury economists and accountants are well placed to provide CyberSecurity :) We need the ICT Authority to configure enterprise wide data protection(limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey- 2016[2] The Government Digital Service (GDS) is part of their Cabinet Office, nottheir Treasury. https://www.gov.uk/government/ publications/govuk-pay/govuk- pay[3] Their Treasury is consulted about the payment system 👆🏾 the GDScontinues to build. SMM *"Better a patient person than a warrior, one with self-control than onewho takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have neverheard in my life of an ERP Director. This is just adding a superfluouslayer of useless bureaucracy. The owner of an ERP is the business with each department taking ownershipof their components:- 1. Financials - CFO2. CRM (Commercial/marketing/sales)3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled toexecute on its mandate. This in my humble opinion goes beyond ERPs andtalks to aligning the Technology Strategy with the Business Strategy. Forexample in the banking sector where increasingly the more savvy banks aretaking a 'Platform Thinking' approach. This allows partners to plug intotheir core technology through APIs to enable them extend capabilities andhence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need forusingTechnology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managingthe monster that is IFMIS. Let them first learn the basics ofcommunicatingeffectively with the community before taking on this elephant in theroom. *Ali Hussein**Principal**Hussein & Associates*+254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/ alihkassim[4] "We are what we repeatedly do. Excellence, therefore, is not an act but ahabit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560-[5]3520560- 5j04aq/index.html ______________________________ _________________kictanet mailing listkictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[6]Twitter: http://twitter.com/kictanetFacebook: https://www.facebook.com/ KICTANet/[7] Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info% 40alyhussein.com[8] The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platformfor people and institutions interested and involved in ICT policy andregulation. The network aims to act as a catalyst for reform in the ICTsector in support of the national aim of ICT enabled growth anddevelopment. KICTANetiquette : Adhere to the same standards of acceptable behaviorsonline that you follow in real life: respect people's times andbandwidth,share knowledge, don't flame or abuse or personalize, respect privacy, donot spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[9] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[10]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com[11]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet[12] Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/[13]

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com[14]

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

--

...

...

Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

...

...

PGP ID : 0x33A3450F

...

...

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_________________________________________________

...

...

kictanet mailing list

...

...

kictanet@lists.kictanet.or.ke

...

...

https://lists.kictanet.or.ke/mailman/listinfo/kictanet

...

...

Twitter: http://twitter.com/kictanet

...

...

Facebook: https://www.facebook.com/KICTANet/

...

...

...

...

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan....

...

...

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

...

...

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

Links: 1. http://ke.linkedin.com/in/alihkassim 2. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur... 3. https://www.gov.uk/government/publications/govuk-pay/govuk-pay 4. http://ke.linkedin.com/in/alihkassim 5. http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 6. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 7. https://www.facebook.com/KICTANet/ 8. http://40alyhussein.com/ 9. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 10. https://www.facebook.com/KICTANet/ 11. https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com 12. https://lists.kictanet.or.ke/mailman/listinfo/kictanet 13. https://www.facebook.com/KICTANet/ 14. https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com

@Muritu, ICT Governance Framework?...spot on. The software is innocent. How you shape the people, processes and procedures around it so as to have checks and balances is what makes or breaks software. This is often quite obvious at the political level i.e Executive, Legislature and Judiciary relationships,  but rarely understood nor practiced within the ICT ecosystem. I alway recommend the COBIT framework for those keen on ICT Governance issues.  | | COBIT - IT Governance Framework - Infor... | | @Muraya, organize an IFMIS forum and invite me. Would be glad to give my fraction of bitcoins :-) walu. From: James Muritu via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: James Muritu <james.muritu@gmail.com> Sent: Thursday, January 19, 2017 12:31 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Interesting conversations going on here. In simple terms, what IFIMIS lacks is a Governance Framework. The "software component" of an ERP is just one drop in the ocean. People+Processes+Operating Procedures+Decision Rights are the bigger drops. Am currently reviewing a similar system in a Kenya based corporation and for almost 2 years, the system had been blamed for all the wrong reasons. The ultimate results, revealed more loopholes outside the actual software. On Thu, Jan 19, 2017 at 12:01 PM, waudo siganga via kictanet <kictanet@lists.kictanet.or.ke> wrote: Thank Walu. I'll wait fro the coffee...W. On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote: @Daktari Siganga, I was the ICT Director for our university for 5yrs and managed both the University Network &  ERP - but I dont say :-) We switch between the classroom and ICT operations like that. So I kinda have both the academic and practical view of these things   Anyway, you are right in that the IT expert(Superuser) should NOT  be a normal  'Finance' /'HR'/Procurement/ or other regualr user of the ERP.  However, the IT guys still assign these roles and privileges to the various functional users. i.e. they must grant rights to the Finance/HR/ and other Directors to execute their work within the ERP. Different implementations (company policy) maybe that this is delegated to the various functional heads who can then subsequently grant privileges/access rights down through their departments.   But this is NOT ideal since you lose the segregation of duties where you want the Functional heads(e.g. Finance Director) to make the access-rights requests IN WRITING, and have SOMEONE ELSE implement that request. This is the 'control' auditors are looking for when auditing the information system later on - in terms of checks and balances. Such a control is what leads to the questions like:-a) Who within the ERP system has privileges that were not formally requested for in writing? Or b) Who within the ERP system has more privileges than what was formally requested for? c) Who within the ERP exists but has no supporting access request from the Functional head?d) etc, etc. Even if the IT expert abused his/her superuser privileges by granting themselves some user rights within the Financial module, they will be outed by the above audit process. Denying the IT expert the ability to grant access rights within the ERP and passing the same to the functional heads does not solve the problem of abuse. The functional heads can simply become the new kingpins. Only segregation of duty cures the problem of abuse. But we can meet over coffee and share the pros and cons of the various  implementations :-) walu.   From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke > Sent: Thursday, January 19, 2017 10:36 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function. THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane. W. On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote: @Dr Siganga, my comments below: >>1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.>>>Response:Yes and NO. Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated.   E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' .  The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.  Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea. >>2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.>>RESPONSE: Yes and NO.Yes, independent or external auditors (hopefully Information System Auditors) do review the  technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously  monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps. walu.   From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions <kictanet@lists.kictanet.or.ke > Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor. Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords). W. On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote: Grace B via kictanet <kictanet@lists.kictanet.or.ke > wrote>>>Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?  >>Segregation of duties solves this.  Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame). It is often a confusing and thin line. The line between Administrative and Technical authority.   But you can look at it in terms of the President's Security detail.   The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.  These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse. If we get this seperation of authority right, we solve the IFMIS puzzle. walu.  From: Grace B via kictanet <kictanet@lists.kictanet.or.ke > To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?  Regards 2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke >: Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.  I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.  Ali HusseinPrincipalHussein & Associates+254 0713 601113  Twitter: @AliHKassimSkype: abu-jomoLinkedIn: http://ke.linkedin. com/in/alihkassim"We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle  Sent from my iPad On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke > wrote:   Hi Ali, ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments. Regards On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :)   We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS).   In 2016, the UN ranked the UK as # 1 in providing digital services.   https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016   The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury.   https://www.gov.uk/government/ publications/govuk-pay/govuk- pay   Their Treasury is consulted about the payment system  👆🏾  the GDS continues to build.         SMM   *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*   On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:   I fundamentally disagree with this assertion.   First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.   The owner of an ERP is the business with each department taking ownership of their components:-   1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance   Etc.   The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.   The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.   Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.   *Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113   Twitter: @AliHKassim   Skype: abu-jomo   LinkedIn: http://ke.linkedin.com/in/ alihkassim   "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle     Sent from my iPad   On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:   Interesting comments...   ICT Authority, not Treasury, should oversee IFMIS   http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html   ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/   Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com   The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.   KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.       -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/  Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.   --Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu <http://www. diplointernetgovernance.org/ profile/GraceMutungu> PGP ID : 0x33A3450F   ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.  ______________________________ _________________kictanet mailing listkictanet@lists.kictanet.or.kehttps://lists.kictanet.or.ke/ mailman/listinfo/kictanetTwitter: http://twitter.com/kictanetFacebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ emailsignet%40mailcan.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.     ______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ james.muritu%40gmail.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

We also have numerous Standards such as the ISO 27000 series available at Kenya Bureau of Standards that address most of the human and security issues at the cost of a crate of milk, so far it appears only the Communications Authority has embraced the same, time for this standards to added to the Perfomance contracting framework. Regards On 1/19/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote:

@Walu It should be a KICTA (not Treasury) event (hopefully in Nairobi).

How else do they prove they are an "Authority" in providing Cyber security and transparency in Government?

SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

On Thu, Jan 19, 2017 at 1:15 PM, Walubengo J via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

@Muritu,

ICT Governance Framework?...spot on. The software is innocent. How you shape the people, processes and procedures around it so as to have checks and balances is what makes or breaks software.

This is often quite obvious at the political level i.e Executive, Legislature and Judiciary relationships, but rarely understood nor practiced within the ICT ecosystem. I alway recommend the COBIT framework <http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx> for those keen on ICT Governance issues.

COBIT - IT Governance Framework - Infor... <http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx>

@Muraya, organize an IFMIS forum and invite me. Would be glad to give my fraction of bitcoins :-)

walu.

------------------------------ *From:* James Muritu via kictanet <kictanet@lists.kictanet.or.ke> *To:* jwalu@yahoo.com *Cc:* James Muritu <james.muritu@gmail.com> *Sent:* Thursday, January 19, 2017 12:31 PM

*Subject:* Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting conversations going on here. In simple terms, what IFIMIS lacks is a Governance Framework. The "software component" of an ERP is just one drop in the ocean. People+Processes+Operating Procedures+Decision Rights are the bigger drops. Am currently reviewing a similar system in a Kenya based corporation and for almost 2 years, the system had been blamed for all the wrong reasons. The ultimate results, revealed more loopholes outside the actual software.

On Thu, Jan 19, 2017 at 12:01 PM, waudo siganga via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Thank Walu. I'll wait fro the coffee... W.

On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote:

@Daktari Siganga,

I was the ICT Director for our university for 5yrs and managed both the University Network & ERP - but I dont say :-)

We switch between the classroom and ICT operations like that. So I kinda have both the academic and practical view of these things

Anyway, you are right in that the IT expert(Superuser) should NOT be a normal 'Finance' /'HR'/Procurement/ or other regualr user of the ERP. However, the IT guys still assign these roles and privileges to the various functional users. i.e. they must grant rights to the Finance/HR/ and other Directors to execute their work within the ERP.

Different implementations (company policy) maybe that this is delegated to the various functional heads who can then subsequently grant privileges/access rights down through their departments.

But this is NOT ideal since you lose the segregation of duties where you want the Functional heads(e.g. Finance Director) to make the access-rights requests IN WRITING, and have SOMEONE ELSE implement that request.

This is the 'control' auditors are looking for when auditing the information system later on - in terms of checks and balances. Such a control is what leads to the questions like:- a) Who within the ERP system has privileges that were not formally requested for in writing? Or b) Who within the ERP system has more privileges than what was formally requested for? c) Who within the ERP exists but has no supporting access request from the Functional head? d) etc, etc.

Even if the IT expert abused his/her superuser privileges by granting themselves some user rights within the Financial module, they will be outed by the above audit process.

Denying the IT expert the ability to grant access rights within the ERP and passing the same to the functional heads does not solve the problem of abuse. The functional heads can simply become the new kingpins. Only segregation of duty cures the problem of abuse.

But we can meet over coffee and share the pros and cons of the various implementations :-)

walu.

------------------------------ From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions < kictanet@lists.kictanet.or.ke > Sent: Thursday, January 19, 2017 10:36 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function.

THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane.

W.

On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:

@Dr Siganga, my comments below:

...

...

1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.

...

Response:Yes and NO. Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated. E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' . The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.

Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea.

...

...

2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

RESPONSE: Yes and NO. Yes, independent or external auditors (hopefully Information System Auditors) do review the technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps.

walu.

------------------------------ From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions < kictanet@lists.kictanet.or.ke > Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system.

I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords).

W.

On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

Grace B via kictanet <kictanet@lists.kictanet.or.ke > wrote>>> Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

It is often a confusing and thin line. The line between Administrative and Technical authority.

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

If we get this seperation of authority right, we solve the IFMIS puzzle.

walu.

------------------------------ From: Grace B via kictanet <kictanet@lists.kictanet.or.ke > To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

Regards

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet < kictanet@lists.kictanet.or.ke >:

Barrack

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein Principal Hussein & Associates +254 0713 601113

Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin. com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet < kictanet@lists.kictanet.or.ke > wrote:

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote:

Doubt Treasury economists and accountants are well placed to provide Cyber

Security :)

We need the ICT Authority to configure enterprise wide data protection

(limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016 <https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016>

The Government Digital Service (GDS) is part of their Cabinet Office, not

their Treasury.

https://www.gov.uk/government/ publications/govuk-pay/govuk- pay <https://www.gov.uk/government/publications/govuk-pay/govuk-pay>

Their Treasury is consulted about the payment system 👆🏾 the GDS

continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one

who takes a city." Prov 16:32*

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never

heard in my life of an ERP Director. This is just adding a superfluous

layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership

of their components:-

1. Financials - CFO

2. CRM (Commercial/marketing/sales)

3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to

execute on its mandate. This in my humble opinion goes beyond ERPs and

talks to aligning the Technology Strategy with the Business Strategy. For

example in the banking sector where increasingly the more savvy banks are

taking a 'Platform Thinking' approach. This allows partners to plug into

their core technology through APIs to enable them extend capabilities and

hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for

using

Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing

the monster that is IFMIS. Let them first learn the basics of

communicating

effectively with the community before taking on this elephant in the

room.

*Ali Hussein*

*Principal*

*Hussein & Associates*

+254 0713 601113

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/ alihkassim <http://ke.linkedin.com/in/alihkassim>

"We are what we repeatedly do. Excellence, therefore, is not an act but a

habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <

kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560- <http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560->

3520560-5j04aq/index.html

______________________________ _________________

kictanet mailing list

kictanet@lists.kictanet.or.ke

https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>

Twitter: http://twitter.com/kictanet

Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/

mailman/options/kictanet/info% 40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform

for people and institutions interested and involved in ICT policy and

regulation. The network aims to act as a catalyst for reform in the ICT

sector in support of the national aim of ICT enabled growth and

development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors

online that you follow in real life: respect people's times and

bandwidth,

share knowledge, don't flame or abuse or personalize, respect privacy, do

not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www. diplointernetgovernance.org/ profile/GraceMutungu <http://www.diplointernetgovernance.org/profile/GraceMutungu>>

PGP ID : 0x33A3450F

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ jwalu%40yahoo.com <https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

*______________________________ _________________* kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ emailsignet%40mailcan.com <https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ james.muritu%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/james.muritu%40gmail.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/murigi.muraya%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

Hi Alex, Interesting, was it dropped? Do you know the reasons why? Best Regards On 1/19/17, awatila@yahoo.co.uk <awatila@yahoo.co.uk> wrote:

ISO 27001 was actually in the performance contracts of state corporations a few years back. It used to be the next step after ISO 9001 certification requirements in the performance contract.

Also IT departments of organizations that are ISO 9001 (QMS) certified are audited using ISO 27001 controls.

Regards,

Alex

Sent from Windows Mail

From: KICTAnet ICT Policy Discussions Sent: ‎Thursday‎, ‎January‎ ‎19‎, ‎2017 ‎3‎:‎20‎ ‎PM To: 'Watila Alex - Current' Cc: Barrack Otieno

We also have numerous Standards such as the ISO 27000 series available at Kenya Bureau of Standards that address most of the human and security issues at the cost of a crate of milk, so far it appears only the Communications Authority has embraced the same, time for this standards to added to the Perfomance contracting framework.

Regards

On 1/19/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote:

...

@Walu It should be a KICTA (not Treasury) event (hopefully in Nairobi).

How else do they prove they are an "Authority" in providing Cyber security and transparency in Government?

SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

On Thu, Jan 19, 2017 at 1:15 PM, Walubengo J via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

@Muritu,

ICT Governance Framework?...spot on. The software is innocent. How you shape the people, processes and procedures around it so as to have checks and balances is what makes or breaks software.

This is often quite obvious at the political level i.e Executive, Legislature and Judiciary relationships, but rarely understood nor practiced within the ICT ecosystem. I alway recommend the COBIT framework <http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx> for those keen on ICT Governance issues.

COBIT - IT Governance Framework - Infor... <http://www.isaca.org/knowledge-center/cobit/pages/overview.aspx>

@Muraya, organize an IFMIS forum and invite me. Would be glad to give my fraction of bitcoins :-)

walu.

------------------------------ *From:* James Muritu via kictanet <kictanet@lists.kictanet.or.ke> *To:* jwalu@yahoo.com *Cc:* James Muritu <james.muritu@gmail.com> *Sent:* Thursday, January 19, 2017 12:31 PM

*Subject:* Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting conversations going on here. In simple terms, what IFIMIS lacks is a Governance Framework. The "software component" of an ERP is just one drop in the ocean. People+Processes+Operating Procedures+Decision Rights are the bigger drops. Am currently reviewing a similar system in a Kenya based corporation and for almost 2 years, the system had been blamed for all the wrong reasons. The ultimate results, revealed more loopholes outside the actual software.

On Thu, Jan 19, 2017 at 12:01 PM, waudo siganga via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Thank Walu. I'll wait fro the coffee... W.

On Thu, Jan 19, 2017, at 11:33 AM, Walubengo J wrote:

@Daktari Siganga,

I was the ICT Director for our university for 5yrs and managed both the University Network & ERP - but I dont say :-)

We switch between the classroom and ICT operations like that. So I kinda have both the academic and practical view of these things

Anyway, you are right in that the IT expert(Superuser) should NOT be a normal 'Finance' /'HR'/Procurement/ or other regualr user of the ERP. However, the IT guys still assign these roles and privileges to the various functional users. i.e. they must grant rights to the Finance/HR/ and other Directors to execute their work within the ERP.

Different implementations (company policy) maybe that this is delegated to the various functional heads who can then subsequently grant privileges/access rights down through their departments.

But this is NOT ideal since you lose the segregation of duties where you want the Functional heads(e.g. Finance Director) to make the access-rights requests IN WRITING, and have SOMEONE ELSE implement that request.

This is the 'control' auditors are looking for when auditing the information system later on - in terms of checks and balances. Such a control is what leads to the questions like:- a) Who within the ERP system has privileges that were not formally requested for in writing? Or b) Who within the ERP system has more privileges than what was formally requested for? c) Who within the ERP exists but has no supporting access request from the Functional head? d) etc, etc.

Even if the IT expert abused his/her superuser privileges by granting themselves some user rights within the Financial module, they will be outed by the above audit process.

Denying the IT expert the ability to grant access rights within the ERP and passing the same to the functional heads does not solve the problem of abuse. The functional heads can simply become the new kingpins. Only segregation of duty cures the problem of abuse.

But we can meet over coffee and share the pros and cons of the various implementations :-)

walu.

------------------------------ From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions < kictanet@lists.kictanet.or.ke > Sent: Thursday, January 19, 2017 10:36 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I can see from your comments that you have never worked in a finance environment. For secure setup there is no way "IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system". Simply put a person who is a trained IT expert knows too much about how the system works and therefore cannot be assigned access administration. The overall person for access admin is a "super-user" or "Chief Security Officer"or a title in that direction. This super user assigns access rights to users, such as ability to add,delete, update, edit, view, etc records. To assign these rights in practically all IT systems the super user must himself have those same rights, otherwise he/she cannot assign them to other users. A system where a super-user is an IT expert is a very weak system. The IT expert should never have ability to enter a system and change records. If you analyse the IFMIS problem you will realise that it is not a problem of IT experts infiltrating the system. It is just password misuse by ordinary users. At least I agree with you on one thing - IT expertise role and password administration must never be put in the same office. In most banks and finance environments the super-user function is undertaken by the CEO or a very senior executive who is OUTSIDE the IT function.

THERE IS NO PROBLEM WITH IFMIS. The users, as is normal in any IT system, are the weakest link. It is like having pilots who are busy with corruption to fly a plane then when the plane crashes we say there was a problem with the plane.

W.

On Wed, Jan 18, 2017, at 02:54 PM, Walubengo J wrote:

@Dr Siganga, my comments below:

...

...

1. Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system.

...

Response:Yes and NO. Yes passwords and their access levels are controls that mimic the authorization levels of the manual system. However, their implementation in an ideal environment should be segregated. E.g the finance director should say in writing: 'I need my accountant to do x, y & z function' . The IT guys must then translate x, y & z function into the appropriate access levels for that accountant within the system.

Finance retains the administrative oversight in terms of triggering the password request and profiling the access levels desired. IT retains the technical function of implementing the same. Never put these two roles in one office. Shida mingi inajiletea.

...

...

2. I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

RESPONSE: Yes and NO. Yes, independent or external auditors (hopefully Information System Auditors) do review the technical controls. But this is often an annual exercise. So serious organisation do not wait for a year to be told their controls were not effective. They have INTERNAL information system auditors (who are technical) to continuously monitor/enforce that these IT controls are in place, working and/or need to be updated. Other organisation may allocate this role to the Information Security Officer, either way these are ICT technical chaps.

walu.

------------------------------ From: waudo siganga <emailsignet@mailcan.com> To: Walubengo J <jwalu@yahoo.com>; KICTAnet ICT Policy Discussions < kictanet@lists.kictanet.or.ke > Sent: Wednesday, January 18, 2017 1:55 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system.

I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords).

W.

On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

Grace B via kictanet <kictanet@lists.kictanet.or.ke > wrote>>> Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

It is often a confusing and thin line. The line between Administrative and Technical authority.

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

If we get this seperation of authority right, we solve the IFMIS puzzle.

walu.

------------------------------ From: Grace B via kictanet <kictanet@lists.kictanet.or.ke > To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

Regards

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet < kictanet@lists.kictanet.or.ke >:

Barrack

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein Principal Hussein & Associates +254 0713 601113

Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin. com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet < kictanet@lists.kictanet.or.ke > wrote:

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote:

Doubt Treasury economists and accountants are well placed to provide Cyber

Security :)

We need the ICT Authority to configure enterprise wide data protection

(limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016 <https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016>

The Government Digital Service (GDS) is part of their Cabinet Office, not

their Treasury.

https://www.gov.uk/government/ publications/govuk-pay/govuk- pay <https://www.gov.uk/government/publications/govuk-pay/govuk-pay>

Their Treasury is consulted about the payment system 👆🏾 the GDS

continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one

who takes a city." Prov 16:32*

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never

heard in my life of an ERP Director. This is just adding a superfluous

layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership

of their components:-

1. Financials - CFO

2. CRM (Commercial/marketing/sales)

3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to

execute on its mandate. This in my humble opinion goes beyond ERPs and

talks to aligning the Technology Strategy with the Business Strategy. For

example in the banking sector where increasingly the more savvy banks are

taking a 'Platform Thinking' approach. This allows partners to plug into

their core technology through APIs to enable them extend capabilities and

hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for

using

Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing

the monster that is IFMIS. Let them first learn the basics of

communicating

effectively with the community before taking on this elephant in the

room.

*Ali Hussein*

*Principal*

*Hussein & Associates*

+254 0713 601113

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/ alihkassim <http://ke.linkedin.com/in/alihkassim>

"We are what we repeatedly do. Excellence, therefore, is not an act but a

habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <

kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560- <http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560->

3520560-5j04aq/index.html

______________________________ _________________

kictanet mailing list

kictanet@lists.kictanet.or.ke

https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>

Twitter: http://twitter.com/kictanet

Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/

mailman/options/kictanet/info% 40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform

for people and institutions interested and involved in ICT policy and

regulation. The network aims to act as a catalyst for reform in the ICT

sector in support of the national aim of ICT enabled growth and

development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors

online that you follow in real life: respect people's times and

bandwidth,

share knowledge, don't flame or abuse or personalize, respect privacy, do

not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www. diplointernetgovernance.org/ profile/GraceMutungu <http://www.diplointernetgovernance.org/profile/GraceMutungu>>

PGP ID : 0x33A3450F

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ jwalu%40yahoo.com <https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

*______________________________ _________________* kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ emailsignet%40mailcan.com <https://lists.kictanet.or.ke/mailman/options/kictanet/emailsignet%40mailcan.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ james.muritu%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/james.muritu%40gmail.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/murigi.muraya%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/awatila%40yahoo.co.uk

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

Interesting 2013 Guardian video about the GDS... Gov.uk: how geeks opened up government https://www.youtube.com/watch?v=y9cNlPcZ-ws UK.Gov builds up their own geeks (not foreigners), UK Geeks build up UK.Gov. SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Wed, Jan 18, 2017 at 1:55 PM, waudo siganga via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Hi Walu - I do not agree with you that access administration (passwords) is a technical function. In most cases passwords just mimic authorization structures that pre-exist in a manual system. It is very important that the access of technical people to a system, especially a financial one, be as inhibited as possible. Those who access the system should only be capable of doing the functions they would perform in a manual system. To enhance security of the system, access administration should be overseen by a most senior person who is NOT trained to do technical work on the system.

I also differ with your suggestion that it is the work of technical people to enforce, check or review system controls. That should be the function of an independent auditor.

Overall I think there is much misunderstanding about IFMIS. The problem is not technical; it is administrative. Specifically access administration (passwords).

W.

On Wed, Jan 18, 2017, at 01:06 PM, Walubengo J via kictanet wrote:

Grace B via kictanet <kictanet@lists.kictanet.or.ke> wrote>>> Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

...

...

Segregation of duties solves this. Treasury continues being the Process owner, but surrenders the Technical leadership of the system/ERP to ICT Authority. So if it is a case of passwords and their use, expiry amongst other technical issues, we know it is ICT Authority to manage (and take blame).

It is often a confusing and thin line. The line between Administrative and Technical authority.

But you can look at it in terms of the President's Security detail. The President maybe the (Administrative) boss of his security detail, but the President can never tell his security detail HOW to guard him or what weapons to use or how many guards he needs, where to position them etc.

These are TECHNICAL issues that the President cannot and should never pretend to be dictating on since they lie squarely within the NIS/Inspector General domain. The moment NIS start taking technical instructions from the President, is the moment our security system will collapse.

If we get this seperation of authority right, we solve the IFMIS puzzle.

walu.

------------------------------ From: Grace B via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Grace B <nmutungu@gmail.com> Sent: Wednesday, January 18, 2017 7:11 AM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

Interesting discussion. There are those who would look at IFMIS as a public finance management issue as opposed to an ICT one but this is not really count when giving management mandate to either Treasury or ICTA as long as the objectives of PFM (Article 201 of Katiba) are met. One of the issues voiced about IFMIS since devolution/new Constitution has been the problems experienced by county governments and other independent organs eg commissions in accessing funds in a timely manner. (We assume that Executive has not had too many problems assessing funds and may have indeed been facilitating leakage) One issue with transferring the responsibility of maintaining IFMIS to ICTA, it seems would be that there could be few differences between ICTA and Treasury. First, both are Executive institutions that may support devolved and independent structures in line with the soft policy direction of the government of the day. Second, the problem with IFMIS, it appears is a lack of commitment to simple values such as integrity and prudent stewardship of public funds. What guarantee wold we have that ICTA would be different from Treasury?

Regards

2017-01-18 5:54 GMT+03:00 Ali Hussein via kictanet < kictanet@lists.kictanet.or.ke>:

Barrack

We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.

I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT...

Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.

Ali Hussein Principal Hussein & Associates +254 0713 601113

Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin. com/in/alihkassim <http://ke.linkedin.com/in/alihkassim> "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet < kictanet@lists.kictanet.or.ke > wrote:

Hi Ali,

ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments.

Regards

On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke > wrote:

Doubt Treasury economists and accountants are well placed to provide Cyber

Security :)

We need the ICT Authority to configure enterprise wide data protection

(limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration. un.org/egovkb/en-us/Reports/ UN-E-Government-Survey-2016 <https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Survey-2016>

The Government Digital Service (GDS) is part of their Cabinet Office, not

their Treasury.

https://www.gov.uk/government/ publications/govuk-pay/govuk- pay <https://www.gov.uk/government/publications/govuk-pay/govuk-pay>

Their Treasury is consulted about the payment system 👆🏾 the GDS

continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one

who takes a city." Prov 16:32*

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never

heard in my life of an ERP Director. This is just adding a superfluous

layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership

of their components:-

1. Financials - CFO

2. CRM (Commercial/marketing/sales)

3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to

execute on its mandate. This in my humble opinion goes beyond ERPs and

talks to aligning the Technology Strategy with the Business Strategy. For

example in the banking sector where increasingly the more savvy banks are

taking a 'Platform Thinking' approach. This allows partners to plug into

their core technology through APIs to enable them extend capabilities and

hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for

using

Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing

the monster that is IFMIS. Let them first learn the basics of

communicating

effectively with the community before taking on this elephant in the

room.

*Ali Hussein*

*Principal*

*Hussein & Associates*

+254 0713 601113

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/ alihkassim <http://ke.linkedin.com/in/alihkassim>

"We are what we repeatedly do. Excellence, therefore, is not an act but a

habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <

kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/ blogs/dot9/walubengo/2274560- <http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560->

3520560-5j04aq/index.html

______________________________ _________________

kictanet mailing list

kictanet@lists.kictanet.or.ke

https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet>

Twitter: http://twitter.com/kictanet

Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/

mailman/options/kictanet/info% 40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform

for people and institutions interested and involved in ICT policy and

regulation. The network aims to act as a catalyst for reform in the ICT

sector in support of the national aim of ICT enabled growth and

development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors

online that you follow in real life: respect people's times and

bandwidth,

share knowledge, don't flame or abuse or personalize, respect privacy, do

not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info% 40alyhussein.com <https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

______________________________ _________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/ mailman/listinfo/kictanet <https://lists.kictanet.or.ke/mailman/listinfo/kictanet> Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/ KICTANet/ <https://www.facebook.com/KICTANet/>

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/ nmutungu%40gmail.com <https://lists.kictanet.or.ke/mailman/options/kictanet/nmutungu%40gmail.com>

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Grace L.N. Mutung'u Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

PGP ID : 0x33A3450F

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/jwalu%40yahoo.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

*_______________________________________________* kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/emailsignet%40mailcan.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/murigi.muraya%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

I agree that there should be a Government CIO to focus on the role of managing all government ICT Systems. NOT the CS because he already has broader cross-cutting roles including those that are outside ICT function. ICTA is a parastatal (under MOICT) that was formed in August 2013 and comprises the following 3 former bodies as its departments:- 1. ICT Board 2. Directorate of e-Government 3. GITS (Government Information Technology Services). This means GITS is the department that is supposed to manage all Government IT Systems. GITS therefore needs empowerment. Peter Mwanyika | Chief ICT Officer – Security & Architecture Planning Kenya Electricity Generating Company Ltd. Stima Plaza | Kolobot Road, Parklands. P.O BOX 47936 00100 | Nairobi | Kenya Tel: +254 711 036 000, +254 711 036652 Email: pmwanyika@kengen.co.ke<mailto:%7BE-mail%7D> Website: www.kengen.co.ke<file:///C:/Users/administrator.KENGENINT/AppData/Local/Temp/2/id0pqqew.0b0/dz02kica.zk2/%7BWeb%20Page%7D> <https://www.facebook.com/pages/KenGen-Kenya-Family/509190882517514><https://twitter.com/@KenGenKenya> <https://www.facebook.com/pages/KenGen-Kenya-Family/509190882517514> <https://twitter.com/@KenGenKenya> [cid:Twitter.jpg] <https://twitter.com/@KenGenKenya> @KenGenKenya<https://twitter.com/@KenGenKenya> [cid:facebook.jpg] <https://www.facebook.com/pages/KenGen-Kenya-Family/509190882517514> KenGen Kenya<https://www.facebook.com/pages/KenGen-Kenya-Family/509190882517514> DISCLAIMER: This e-mail (including any attachments) is intended for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please contact the sender and delete the e-mail from your system. KENGEN shall not accept liability for, nor shall it guarantee that messages or attachments are free from virus and/or worms. From: kictanet [mailto:kictanet-bounces+pmwanyika=kengen.co.ke@lists.kictanet.or.ke] On Behalf Of Ali Hussein via kictanet Sent: Wednesday, January 18, 2017 5:54 AM To: Peter Mwanyika <pmwanyika@kengen.co.ke> Cc: Ali Hussein <ali@hussein.me.ke> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system. I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further. Ali Hussein Principal Hussein & Associates +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Hi Ali, ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments. Regards On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :) We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS). In 2016, the UN ranked the UK as # 1 in providing digital services. https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur... The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury. https://www.gov.uk/government/publications/govuk-pay/govuk-pay Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build. SMM *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32* On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke<mailto:ali@hussein.me.ke>> wrote: I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy. The owner of an ERP is the business with each department taking ownership of their components:- 1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room. *Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke>> wrote: Interesting comments... ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info%40alyhussein.com<http://40alyhussein.com> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke<mailto:kictanet@lists.kictanet.or.ke> https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

@Watila, Legally the former ICT Board, eGovernment and GITS were merged to became ICT Authority as per the legal notice 183 of 2013 found @ http://www.kenyalaw.org/kl/fileadmin/pdfdownloads/LegalNotices/183-StateCorp...

...

...

Part II section (3) States: The (ICT) Authority shall be the successor to the following bodiesexisting before the commencement of this Order- (a) the Kenya Information and Communications Technology(ICT) Board; (b) the Directorate of e-Government; and (c) the Government Information Technology Services (GITS)Department. 

Has this practically and operationally happened? You can only get the answer from ICTA.  But do not be in a hurry for an answer - after all  you are behind Ali on the queue ;-) Nevertheless, gava is complicated. So you can blame ICTA too much. walu. From: awatila--- via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: awatila@yahoo.co.uk Sent: Wednesday, January 18, 2017 3:52 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS

#yiv7113739480 #yiv7113739480 --p.yiv7113739480MsoNormal, #yiv7113739480 li.yiv7113739480MsoNormal, #yiv7113739480 div.yiv7113739480MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv7113739480 a:link, #yiv7113739480 span.yiv7113739480MsoHyperlink {color:blue;text-decoration:underline;}#yiv7113739480 span.yiv7113739480MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv7113739480 p {margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv7113739480 p.yiv7113739480MsoListParagraph, #yiv7113739480 li.yiv7113739480MsoListParagraph, #yiv7113739480 div.yiv7113739480MsoListParagraph {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv7113739480 span.yiv7113739480EmailStyle18 {color:#1F497D;}#yiv7113739480 .yiv7113739480MsoChpDefault {font-size:10.0pt;}#yiv7113739480 div.yiv7113739480WordSection1 {}#yiv7113739480 ol {margin-bottom:0in;}#yiv7113739480 ul {margin-bottom:0in;}#yiv7113739480 #yiv7113739480 #yiv7113739480 --p.yiv7113739480MsoListParagraph, #yiv7113739480 li.yiv7113739480MsoListParagraph, #yiv7113739480 div.yiv7113739480MsoListParagraph {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;}#yiv7113739480 p.yiv7113739480MsoNormal, #yiv7113739480 li.yiv7113739480MsoNormal, #yiv7113739480 div.yiv7113739480MsoNormal {margin:0in;margin-bottom:.0001pt;}#yiv7113739480 p.yiv7113739480MsoListParagraphCxSpFirst, #yiv7113739480 li.yiv7113739480MsoListParagraphCxSpFirst, #yiv7113739480 div.yiv7113739480MsoListParagraphCxSpFirst, #yiv7113739480 p.yiv7113739480MsoListParagraphCxSpMiddle, #yiv7113739480 li.yiv7113739480MsoListParagraphCxSpMiddle, #yiv7113739480 div.yiv7113739480MsoListParagraphCxSpMiddle, #yiv7113739480 p.yiv7113739480MsoListParagraphCxSpLast, #yiv7113739480 li.yiv7113739480MsoListParagraphCxSpLast, #yiv7113739480 div.yiv7113739480MsoListParagraphCxSpLast {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:115%;}#yiv7113739480 Please confirm on Directorate of e-Government being moved from the cabinet office and GITS being moved from treasury. Has it actually happened or it is only on paper. e.g. Did the e-government secretary relocate to ICTA? 2ndly, When Dr. Oketch was e-government secretary he pursued a strategy of decentralizing ICT to the Ministries, Agencies and Departments. Apart  from the concept of shared services (which was one of the original justifications for IFMIS) I am not sure what the current e-government strategy is. Finally if GITS moves to the ICTA will treasury be left without an ICT function? Regards, Sent from Windows Mail From: KICTAnet ICT Policy Discussions Sent: ‎Wednesday‎, ‎January‎ ‎18‎, ‎2017 ‎10‎:‎51‎ ‎AM To: 'Watila Alex - Current' Cc: Peter Mwanyika I agree that there should be a Government CIO to focus on the role of managing all government ICT Systems. NOT the CS because he already has broader cross-cutting roles including those that are outside ICT function. ICTA is a parastatal (under MOICT) that was formed in August 2013 and comprises the following 3 former bodies as its departments:- 1. ICT Board  2. Directorate of e-Government 3. GITS (Government Information Technology Services).This means GITS is the department that is supposed to manage all Government IT Systems. GITS therefore needs empowerment. Peter Mwanyika |Chief ICT Officer – Security & Architecture Planning Kenya Electricity Generating Company Ltd. Stima Plaza | Kolobot Road, Parklands. P.O BOX 47936 00100 | Nairobi | Kenya Tel: +254 711 036 000, +254 711 036652 Email: pmwanyika@kengen.co.ke Website: www.kengen.co.ke    @KenGenKenya           KenGen KenyaDISCLAIMER: This e-mail (including any attachments) is intended for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not a named recipient, please contact the sender and delete the e-mail from your system.KENGEN shall not accept liability for, nor shall it guarantee that messages or attachments are free from virus and/or worms.From: kictanet [mailto:kictanet-bounces+pmwanyika=kengen.co.ke@lists.kictanet.or.ke]On Behalf Of Ali Hussein via kictanet Sent: Wednesday, January 18, 2017 5:54 AM To: Peter Mwanyika <pmwanyika@kengen.co.ke> Cc: Ali Hussein <ali@hussein.me.ke> Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS Barrack We are saying the same thing really.. Let's assume that the ICTA is the ICT Department of the Government (which I doubt it is equipped to execute that mandate) then 'managing' here really means providing support to the system.  I think it's time the Government considers the role of Chief Information Officer to really manage the strategic thrust of all ICT initiatives across ministries. The CIO can then be held accountable for overall efficiency and security of all Government ICT Systems. This CIO needs to report directly to the Chief Executive Officer (President) of the country. Now, that person could be seconded or be a part of the ICTA with a doted line responsibility to the CS, MOICT... Ultimately the overall responsibility of how well our Government ICT Systems work lies squarely on the CEO's desk. Look no further.Ali HusseinPrincipalHussein & Associates+254 0713 601113  Twitter: @AliHKassimSkype: abu-jomoLinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle  Sent from my iPad On 17 Jan 2017, at 11:27 PM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke> wrote: Hi Ali, ERP grew from MRP (Material Resource Planning which was a means of planning and allocating resources in Factories. The difference between the two is that MRP's were stand alone systems whereas ERP's are modular and have more functionality. From an evolution perspective , it would be ideal to manage IFMIS from Ministry of Finance since they are the custodians of the treasury and normally allocate resources through the budgeting process. From a Project Management perspective, it would be ideal to manage IFMIS from ICTA since it is the specialized agency meant to manage government technology investments. Regards On 1/17/17, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Doubt Treasury economists and accountants are well placed to provide Cyber Security :)   We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS).   In 2016, the UN ranked the UK as # 1 in providing digital services.   https://publicadministration.un.org/egovkb/en-us/Reports/UN-E-Government-Sur...   The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury.   https://www.gov.uk/government/publications/govuk-pay/govuk-pay   Their Treasury is consulted about the payment system  👆🏾  the GDS continues to build.         SMM   *"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*   On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:   I fundamentally disagree with this assertion.   First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.   The owner of an ERP is the business with each department taking ownership of their components:-   1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance   Etc.   The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.   The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.   Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.   *Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113   Twitter: @AliHKassim   Skype: abu-jomo   LinkedIn: http://ke.linkedin.com/in/alihkassim   "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle     Sent from my iPad   On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:   Interesting comments...   ICT Authority, not Treasury, should oversee IFMIS   http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560- 3520560-5j04aq/index.html   _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/   Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/info%40alyhussein.com   The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.   KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.       -- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

I try to keep off GOK matters but let me comment on IFMIS once and for all. IFMIS is a system. It entails software, hardware, peopleware and procedures. The absence of regular system audits means that the software is interfered with. Anyone will tell you that what is currently used as IFMIS is not the original version. There is need to know who makes software changes and if the changes are noted. Just like accounting you cannot have the auditor doing the accounting work. There must be checks and balances. On the Hardware side, it is people who switch the servers off whenever you hear that the system is down. The problem is people and that what we need to deal with. My considered opinion is to move the servers elsewhere, remove the peopleware and conduct regular system audits. Perhaps Software as a service may be the best way out. Further, there must be consequences for misuse of passwords. This may sound simple but there are cartels who "own" and run the entire system. So no matter what you do, you are at the mercy of their imaginations. Just ask why isn't the managed by ICT Ministry. Ndemo On Wed, Jan 18, 2017 at 11:17 AM, Mutemi wa Kiama via kictanet < kictanet@lists.kictanet.or.ke> wrote:

From my layman's point of view, IFMIS is a product GoK bought. Once you purchase a product, you must have/build the internal capacity to use it competently.

Regards,

Edwin

On 17 Jan 2017 23:03, "S.M. Muraya via kictanet" < kictanet@lists.kictanet.or.ke> wrote:

Doubt Treasury economists and accountants are well placed to provide Cyber Security :)

We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration.un.org/egovkb/en-us/Reports/UN- E-Government-Survey-2016

The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury.

https://www.gov.uk/government/publications/govuk-pay/govuk-pay

Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

...

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership of their components:-

1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.

*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 <+254%20713%20601113>

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/alihkassim

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560-35 20560-5j04aq/index.html

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/eddiekiama%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/bndemo%40bitangendemo.me

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

And then there's this:- http://www.businessdailyafrica.com/Treasury-budgets-to-spend-Sh7-6bn-on-IFMI... Ali Hussein Principal Hussein & Associates +254 0713 601113 Twitter: @AliHKassim Skype: abu-jomo LinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle Sent from my iPad

On 19 Jan 2017, at 9:52 AM, Barrack Otieno via kictanet <kictanet@lists.kictanet.or.ke> wrote:

Well said Dr. Ndemo,

We are yet to find a good antivirus for peopleware, herein lies the biggest challenge.

Regards

...

On 1/19/17, Bitange Ndemo via kictanet <kictanet@lists.kictanet.or.ke> wrote: I try to keep off GOK matters but let me comment on IFMIS once and for all. IFMIS is a system. It entails software, hardware, peopleware and procedures. The absence of regular system audits means that the software is interfered with. Anyone will tell you that what is currently used as IFMIS is not the original version. There is need to know who makes software changes and if the changes are noted. Just like accounting you cannot have the auditor doing the accounting work. There must be checks and balances. On the Hardware side, it is people who switch the servers off whenever you hear that the system is down. The problem is people and that what we need to deal with. My considered opinion is to move the servers elsewhere, remove the peopleware and conduct regular system audits. Perhaps Software as a service may be the best way out. Further, there must be consequences for misuse of passwords.

This may sound simple but there are cartels who "own" and run the entire system. So no matter what you do, you are at the mercy of their imaginations. Just ask why isn't the managed by ICT Ministry.

Ndemo

On Wed, Jan 18, 2017 at 11:17 AM, Mutemi wa Kiama via kictanet < kictanet@lists.kictanet.or.ke> wrote:

...

From my layman's point of view, IFMIS is a product GoK bought. Once you purchase a product, you must have/build the internal capacity to use it competently.

Regards,

Edwin

On 17 Jan 2017 23:03, "S.M. Muraya via kictanet" < kictanet@lists.kictanet.or.ke> wrote:

Doubt Treasury economists and accountants are well placed to provide Cyber Security :)

We need the ICT Authority to configure enterprise wide data protection (limiting theft of passwords & access to IFMIS).

In 2016, the UN ranked the UK as # 1 in providing digital services.

https://publicadministration.un.org/egovkb/en-us/Reports/UN- E-Government-Survey-2016

The Government Digital Service (GDS) is part of their Cabinet Office, not their Treasury.

https://www.gov.uk/government/publications/govuk-pay/govuk-pay

Their Treasury is consulted about the payment system 👆🏾 the GDS continues to build.

SMM

*"Better a patient person than a warrior, one with self-control than one who takes a city." Prov 16:32*

...

On Tue, Jan 17, 2017 at 9:45 PM, Ali Hussein <ali@hussein.me.ke> wrote:

I fundamentally disagree with this assertion.

First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy.

The owner of an ERP is the business with each department taking ownership of their components:-

1. Financials - CFO 2. CRM (Commercial/marketing/sales) 3. Procurement - Procurement which sometimes comes under Finance

Etc.

The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers.

The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models.

Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room.

*Ali Hussein* *Principal* *Hussein & Associates* +254 0713 601113 <+254%20713%20601113>

Twitter: @AliHKassim

Skype: abu-jomo

LinkedIn: http://ke.linkedin.com/in/alihkassim

"We are what we repeatedly do. Excellence, therefore, is not an act but a habit." ~ Aristotle

Sent from my iPad

On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet < kictanet@lists.kictanet.or.ke> wrote:

Interesting comments...

ICT Authority, not Treasury, should oversee IFMIS

http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560-35 20560-5j04aq/index.html

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/m ailman/options/kictanet/eddiekiama%40gmail.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/ mailman/options/kictanet/bndemo%40bitangendemo.me

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

-- Barrack O. Otieno +254721325277 +254733206359 Skype: barrack.otieno PGP ID: 0x2611D86A

_______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/

Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com

The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.

KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.

@ Ali, This gist of my blog below is written within the existing or prevailing context.  | | WALUBENGO: ICT Authority, not Treasury,... | | We  already have an IFMIS Director,  always had since almost ten years ago when former CS Anne Waiguru was I believe the first IFMIS Director? So it is a position that is unlikely to disappear soon, superfluous or otherwise. So how can we harness it? So my hypothesis was that to begin with, it is wrongly placed.  By having strong administrative reporting lines to the PS Treasury, the IFMIS Director loses some technical 'independence' at the expense of this 'administrative' dominance from the PS Treasury. The same way an ICT Director who reports to the Finance Director would have his or her technical independence severely  degraded and restricted within one department rather than the whole organisation.  My submission is that such technical independence is necessary in as far as ensuring that IT controls are enforced, regularly checked and regularly reviewed. Very true, Finance or Treasure is the PROCESS owner, but the TECHNICAL owner should be someone else - segregation of duties is one way of clearing conflicts of interest. The moment Finance or Treasury is both the PROCESS and the TECHNICAL owner, then you run into the problems we are seeing.  Treasury has no business dimensioning the technicalities of IFMIS e.g. the specs, costs, implementations and other project related issues of the ERP. It is similar to asking HR department to do the same for their Payroll system == Shida mingi sana. My submission is that, Treasury is a just a client of IFMIS.  ICT Department (ICT Authority in this case) should stamp its technical role and authority with respect to IFMIS.  If they mess up, we can know where to place the blame. At the moment, the reporting lines for IFMIS are just too fluid to blame anyone - I do hope that this is NOT by design :-) The idea of a Government CIO fits into this  thinking.  As per the current statutes /laws, ICTA is the closest animal to this CIO thing. walu. From: Ali Hussein via kictanet <kictanet@lists.kictanet.or.ke> To: jwalu@yahoo.com Cc: Ali Hussein <ali@hussein.me.ke> Sent: Tuesday, January 17, 2017 9:45 PM Subject: Re: [kictanet] ICT Authority, not Treasury, should oversee IFMIS I fundamentally disagree with this assertion. First,y, the role of a CIO is to support the enterprise. I have never heard in my life of an ERP Director. This is just adding a superfluous layer of useless bureaucracy. The owner of an ERP is the business with each department taking ownership of their components:- 1. Financials - CFO2. CRM (Commercial/marketing/sales)3. Procurement - Procurement which sometimes comes under Finance Etc. The CIO takes ownership to ensure that the company is well oiled to execute on its mandate. This in my humble opinion goes beyond ERPs and talks to aligning the Technology Strategy with the Business Strategy. For example in the banking sector where increasingly the more savvy banks are taking a 'Platform Thinking' approach. This allows partners to plug into their core technology through APIs to enable them extend capabilities and hence offerings to their customers. The role of a CIO has fundamentally changed to speak to the need for using Technology as an accelerator to successful business models. Secondly, I don't see how the ICT Authority would be better in managing the monster that is IFMIS. Let them first learn the basics of communicating effectively with the community before taking on this elephant in the room. Ali HusseinPrincipalHussein & Associates+254 0713 601113  Twitter: @AliHKassimSkype: abu-jomoLinkedIn: http://ke.linkedin.com/in/alihkassim "We are what we repeatedly do. Excellence, therefore, is not an act but a habit."  ~ Aristotle Sent from my iPad On 17 Jan 2017, at 6:42 PM, S.M. Muraya via kictanet <kictanet@lists.kictanet.or.ke> wrote: Interesting comments...  ICT Authority, not Treasury, should oversee IFMIS http://www.nation.co.ke/oped/blogs/dot9/walubengo/2274560-3520560-5j04aq/ind... _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications. _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke https://lists.kictanet.or.ke/mailman/listinfo/kictanet Twitter: http://twitter.com/kictanet Facebook: https://www.facebook.com/KICTANet/ Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development. KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.