Part 7: Internal systems

Effectiveness of the New Zealand Debt Management Office.

Our expectations and overall findings

7.1
We expected NZDMO’s Information Technology (IT) function to deliver:

  1. system functionality that meets NZDMO’s business needs and enables the business to operate efficiently;
  2. plans, processes, and IT capability to maintain and support IT systems in the longer term;
  3. processes to identify, evaluate, and monitor risks posed by technology; and
  4. testing of the functionality of changes before implementation.

7.2
We found:

  1. NZDMO’s IT systems are an in-house developed solution that meets business needs. Processes exist for IT staff to regularly collaborate with other NZDMO staff to identify their strategies and needs relating to technology;
  2. NZDMO’s IT section has plans to create a new Information Systems (IS) Strategic Plan, update its Business Continuity Plan, and reduce key personnel risk through cross-training;
  3. processes to identify and manage IT risks are integrated with business processes; and
  4. before implementing changes, NZDMO tests the functionality of the changes and verifies that the changes meet its business needs. Because of the small size of the IT group, developers have access to the IT production environment.

However, mitigating controls exist to prevent and detect any errors or unauthorised changes to the production environment.

7.3
We concluded that NZDMO’s systems provide the functionality to meet its business requirements with sound control procedures around change management.

Background

7.4
NZDMO’s Information Technology (IT) systems, including Matriach and SWIFT, currently meet key business needs. For example, Matriarch has the functionality and reporting capability needed for NZDMO’s business to operate efficiently. Business staff interviewed were unable to identify any significant gaps in the IT system’s functionality.

7.5
Processes are also in place for the IT function to continue to identify and address business needs as they change in the future. Two main factors that contribute to high levels of business alignment are:

  • NZDMO’s IT systems being an in-house developed solution; and
  • processes for IT staff to regularly collaborate with other NZDMO staff to identify their strategies and needs relating to technology.

7.6
Having an in-house developed system, rather than a packaged solution, enables the IT function to effectively and efficiently build technology solutions to meet the business needs. Two examples are:

  • Matriarch’s core functionality and reports were tailored and built to meet NZDMO’s specific needs and business.
  • It is easier to build new functionality and reports in Matriarch than to fit the business needs into the constraints of a packaged system. For example, the IT function has been able to create new functionality and reports for new instruments such as mortgage-backed securities, build new models including credit models, create new reports needed for clients, and build an interface between Matriarch and SWIFT to automate manual processes and allow for straight through processing.

Ability to maintain and support systems

7.7
NZDMO’s IT function has effective processes in place to address future system maintenance and support needs. For example, IT has plans to create a new Information Systems Strategic Plan (ISSP), update its Business Continuity Plan (BCP), and address key personnel risk.

7.8
Over the next 6-12 months, NZDMO IT will develop an ISSP, and will align it to meet the business strategies and will consider applicable Treasury strategies. The most recent ISSP was created in 2002 and outlined a solution to replace Infinity with Matriarch, which has now happened.

7.9
While NZDMO met the 2002 ISSP’s objectives and delivered the Matriarch system to address the stated business needs, the next ISSP will explore technology options to best meet NZDMO’s future maintenance and support needs. Existing technology may become obsolete, and the business will need a system that is appropriately future-proofed. The ISSP will consider the advantages and disadvantages of the current in-house solution against other technology options.

7.10
Although the current BCP is comprehensive, it is several years old and needs to be updated and tested. A full scale BCP test was performed at NZDMO’s Auckland site in 2002. The 2002 test was considered successful, because NZDMO was able to transmit payment messages and manually process payments through all three payment systems. According to NZDMO, if a disaster occurred today, it would be able to follow the BCP. However, NZDMO has not performed another full scale BCP test since 2002.

7.11
Since NZDMO’s systems sit on the Treasury’s IT platform, NZDMO’s BCP needs to be aligned with the Treasury’s BCP. NZDMO is working with the Treasury’s Knowledge Infrastructure Services (KIS) to implement a new remote access solution. The implementation is due to be complete around June 2007. After this, NZDMO will be able to begin planning the timeline to update its BCP. NZDMO IT staff and business representatives will be involved in this.

IT risk management

7.12
NZDMO IT has processes in place to identify, evaluate, and monitor IT risks, and these processes are integrated with business processes.

7.13
Common risks posed by technology are presented by:

  • software changes requested by the business;
  • the Treasury’s patches to hardware, operating system, or Microsoft® Access database;
  • system problems; and
  • the Treasury’s infrastructure, processes, and people.

7.14
NZDMO IT identifies, evaluates, and monitors IT risks through:

  • reviewing the Matriarch enhancement log and problem log;
  • weekly IT staff meetings;
  • fortnightly enhancement team meetings;
  • quarterly IT strategy meetings; and
  • regular contact with the Treasury about upcoming patches and NZDMO’s pre-testing of Access patches before implementation.

Acceptance test procedures

7.15
Before implementing changes, NZDMO IT has processes in place to test the functionality of the change and to verify that the change meets the business needs. While segregation of duties issues exist because developers have access to production, such risks are mitigated by:

  • a review of system-generated reports on a periodic basis;
  • an audit to identify unauthorised or inappropriate changes to the system; and
  • the ability to revert to backup versions of the system where serious errors occur.

Backup controls

7.16
NZDMO IT system backup capabilities include:

  • Every 15 minutes, the Search Query Language (SQL) server logs are electronically transmitted from the Wellington server to the Auckland server. Each morning, NZDMO IT reviews the database customisation report to verify that there are no exceptions between the servers (for example, no diff erence in the number of records between servers).
  • Each morning, nine of the key Access databases are automatically backed up on a separate server. About five days of backups are kept on the server. Whenever a file has become corrupt, IT has been able to restore the file with the backup copy. NZDMO IT periodically copies production SQL database backup information into the test database – this was most recently performed in January 2007.
  • The Treasury’s KIS group also backs up the SQL server database each night. Whenever NZDMO IT has needed to retrieve backup tapes from KIS, it has been able to restore the database from the backup tapes.
  • SWIFT database and certificates are backed up to the BCP site, and these backups are performed automatically every day.
page top