Policies

The key objective of eGovernment is to provide better citizen services while improving the efficiency and effectiveness of government. In order to do this in an orderly and united manner, the eGovernment policy was formed and approved by the Cabinet of Ministers in 2009. The Cabinet of Ministers also implied that all government organizations should implement and comply with the eGovernment policy. This page provides an introduction to eGovernment, the eGovernment policy as well as the Information Security policy.

Introduction to eGovernment

eGovernment is the method for using ICT to carry out the main functions of the government. These include:

  • providing products and services to the citizens
  • maintaining law and order, foreign affairs, defense, and welfare more effectively.

eGovernment helps mainly to increase the efficiency and effectiveness of the public sector and provide the citizen services in a more citizen friendly and convenient manner. eGovernment officers responsible for the implementation of this project should possess the knowledge and capabilities in the areas of ICT, management of ICT, concepts of eGovernment and should have the experience of working in the public sector.

Objectives of eGovernment

“Provide better and convenient services to the citizens of the country”

“Participation of clients”

“Using social media to provide better services”

“Maintain better relationships with clients”

“Good governance in terms of efficiency, effectiveness, transparency, responsibility and participation”

Benefits to Stakeholders

Government to citizens:

    • Better living standards
    • Convenient access to government services
    • Multiple service channels
    • Quick access to services
    • Less corruption due to higher transparency

Government to Business:

    • Able to make quick transactions with the government sector
    • Dealing with government is easier

Government to Employees:

    • Transparency in internal activities
    • Automated services such as payroll, attendance
    • Workplace convenience
    • Higher acceptability

Government to Government

    • Better regulation
    • Higher transparency
    • Higher efficiency and effectiveness
    • Minimum corruption
    • Faster communication

eGovernment Policy

The first eGovernment policy of Sri Lanka was approved by the Cabinet of Ministers in December 2009 to be adopted and implemented by all government organizations during the period of 2010-2012. ICTA, which was given the mandate by the Cabinet of Ministers to monitor the implementation, review the policy and revise as necessary, conducted a series of conferences and workshops around the country, to create awareness on the content of the policy and approaches for implementation and review. The progress of the implementation of eGovernment policy has been described in the ICTA website.

ICTA carried out annual reviews of implementation of eGovernment policy in 2010, 2011, 2012 and 2013. Regrettably the rate of successful implementation of eGovernment policy by government organizations has been extremely low, despite the efforts made by ICTA as well as participating organizations.

Having analyzed the reasons for low implementation, the following decisions were made by ICTA with the involvement of key stakeholders.

  • The eGovernment policy contained very complex policy requirements
  • The policy was too extensive. It had 29 policy statements and 177 policy guidelines which should be implemented by all government organizations regardless of different eGovernment maturity levels that they are at.
  • There was no clear identification of responsibilities with regard to the implementation of the policy.
  • Chief Innovation Officers (CIOs) who are generally responsible for implementation of the policy had no clear idea on how to do that. Moreover, CIOs had no authority to implement those
  • It was also not clear to government why they should implement the policy. (Policy objectives were not clear)

For more eGovernment policy related resources, visit eGovernment Policy Project page of ICTA web site

The eGovernment Policy Review Committee

In order to draft the revised version of the policy the Chairman of ICTA appointed an eGovernment Policy Review Committee.

The policy review committee embarked on a journey to address the above issues while revising and updating the policy as and when necessary. In order to compile the policy statements and guidelines, the committees studied such requirements documented in other countries and the requirements included in the first version of the policy.

The committee agreed for a new theme for the policy and drafted 10 policy objectives under which the 32 policy statements were identified.

The committee appointed a Working Committee in order to draft the policy guidelines. The eGovernment Policy Working Committee drafted policy guidelines, identifies the responsibilities of implementation of policy by using the RACI (Responsible, Accountable, Consulted, Informed) matrix.
The Working committee also identified a convenient approach for government organizations to implement the policy requirements and identify the eGovernment maturity stage of their organizations.

Presidential circular issued on implementation of eGovernment Policy

According to the presidential circular, following are a few highlights of the implementation of eGovernment Policy. Ever government organization should:

  • create an ICT unit lead by a Chief Innovation Officer (CIO)
  • draft an annual ICT implementation plan as part of the main business plan, including the ICT vision, mission and the procurement plan
  • allocate sufficient funds for ICT procurements and maintaining equipment
  • prepare themselves for a complete transformation to emails as a primary means of communication
  • use trilingual websites under the domain “gov.lk”
  • use Sinhala and Tamil Unicode whenever necessary for ICT based activities
  • use all three languages in providing information to the “Government Information Center”
  • conform to latest version of Lanka Interoperability Framework (LIFe)
  • use Lanka Gate and Country Portal for delivering government services
  • use 1919 as the telephone short code for sending mobile based information
  • consult ICTA before initiating any major ICT project (over Rs. 2 million)
  • use on licensed software
  • carry out an annual assessment to make sure their staff are skilled and trained enough to address ICT requirements.

The consultative process

Once the policy was drafted it is presented to government CIOs, Senior Managers of the government, ICT based and non ICT based private sector managers, academia and civil society members for receiving a wider consultation. Moreover the public consultation was requested and received for improving the policy by using public media.

How the policy should be implemented by using the checklist

The working committee prepared a policy implementation checklist for facilitating the implementation and reporting its success to ICTA.
The working committee also identified and documented an easy approach for implementing the policy by using the eGovernment maturity levels.

Once the identified approach is followed, the government organizations will be able to look at the policy requirements based on their eGovernment maturity levels. For example every government organization should start implementation of eGovernment policy requirements which are related to the “Information” stage which is the lowest eGovernment maturity stage. Once they have implemented the policy requirements related to the “information” stage. They could start implementation of policy requirements related to next stage which is the “Interactive” stage. If any organization has not implemented at least 70% of the requirements related to one stage they should not proceed to the next level. If any government organization is unable to proceed beyond the “interactive” stage, we identify them to be at the “Interactive” stage.

However, they are free to check whether they have implemented the requirements related to higher stages and mark the implementation check list accordingly.

Assessment of Policy implementation

The “Policy Implementation Check List” will be used in order to assess and verify the eGovernment Policy implementation by government organizations. The implementation check list has identified a set of documents which should be submitted by the government organizations as a proof of policy implementation. The policy team produced all such forms and templates required for verification process.
It is expected to assess the Policy compliance rate of each organization based on the implementation check lists submitted by each organization. The results of the assessment of compliance rate will be published and given some publicity for the citizens to be aware of the compliance rate of each organization.

Information Security Policy

It has come to the attention of ICTA and Sri Lanka CERT, which are currently involved in assisting government organizations to improve their Information Security (IS) posture, that many government organizations have a strain on human resources when it comes to implementing Information Security Management Systems (ISMS) in their organization. While there is no substitute for a comprehensive organization-specific IS policy, these organizations cannot be left unprotected, until such policies are developed and implemented.

Therefore, SLCERT, in collaboration with ICTA, has produced this condensed IS Policy for Government organizations, which establishes a baseline level of security throughout.

  • Administrative Security
    • Where feasible, the organization must develop and maintain well defined roles and responsibilities for job designations, along with requirements for ICT system usage to avoid conflicts of interests.
    • The organization must conduct training and awareness on information security to its employees, at least every six months.
    • The organization must have a Computer Security Incident response procedure and fraud reporting procedure in place.
    • All third party personnel engaged by the organization must be bound by Non Disclosure Agreements (NDA), subject to penalties for violation. They must also be bound by the terms of this policy.
    • All organizations must build and maintain a record of Information Assets .
    • Where feasible a predetermined off-site backup location should be established to carry out critical operations and/or store critical data during a disaster scenario directed by management based on legal and business requirements.
    • A security warning banner must be used to remind the users about the possible consequences due to inappropriate use of information systems and random screening of Internet and e-mail usage may be implemented as per the business requirements of the department or organization to ensure acceptable use of ICT resources.
    • Violation of any mandatory policy statements set forth herein, shall lead to the invocation of disciplinary procedures which may include prosecution under national legislation .
    • Sensitive citizen information must be protected from unauthorized disclosure.
  • Technical Security
    • By default, all Services and Ports on network devices and terminal devices must be disabled. They must only be activated if the organization’s objectives and business activities require them, and subject to management authorization.
    • Passwords must be used to protect access to systems.
    • Application, device and access Logs must be enabled and stored in a safe location.
    • User Privileges to use information and information systems must only be granted to employees on a “need” basis as defined by their job role and special circumstances, subject to management approval and removed soon after the said work is completed.
    • As a minimum, a host based Anti-Malware (Virus, Spyware, Phishing, Spam, Firewall, etc) solution must be adopted. While retail solutions are encouraged, freeware solutions will be acceptable (Links provided). All virus signatures must be updated daily.
    • It does not feature a personal Firewall, the operating systems built-in Firewall must be enabled.
    • Remote access methods must be provided strictly for business purpose only and must be secured.
    • Licensed Original software must be used within the government departments at all situations and open source free license software to be used where applicable. All software used including operating systems must be patched and updated to avoid security vulnerabilities.
    • All custom made software must include a support agreement for a minimum number of years as determined by management. The software where deemed necessary by management in consultation with SLCERT must be tested for secure code and secure functionality.
  • Physical Security
    • All ICT equipment must be placed in secure locations. Secure locations must be protected by Padlocks, security guards or CCTV systems.
    • Proper operating environmental conditions must be provided for ICT equipment, as specified in their documentation.
    • Where possible, a physical register of visitor movements to and from the organization must be maintained, containing, times, date and personal identification information (e.g. NIC)
    • A separate register must be maintained for equipment movement.
    • Sensitive and restricted areas must be demarcated and proper mechanisms must be in place to avoid intruder access.
    • It does not feature a personal Firewall, the operating systems built-in Firewall must be enabled.
    • Steps must be followed to ensure secure disposal of media containing confidential data where necessary.
    • All workstations must be locked, logged off or shut down while not in use.
Top