Project Rosetta (Streams 1 and 2)
1 EXECUTIVE SUMMARY
1.1 Introduction
Project Rosetta is an initiative under the government's
Connecting Victoria policy. The policy aims to deliver the
benefits of information and communications technology (ICT) to all
Victorians.
At a minimum, the project was expected to establish electronic
directory services in core government departments, to store
personal details of employees and contractors and to provide ‘white
pages’ capability.
The overall objective of this audit was to assess whether
Project Rosetta has been effectively managed; involving a review of
its development, ongoing management and maintenance by the
Government Services Group (GSG) and in three selected
departments.
1.2 Key findings
- Project Rosetta has delivered the planned
functionality of a whole of Victorian Government (WoVG) enterprise
directory and a uniform set of electronic meta-directories in the
10 portfolio departments as intended, albeit seven months later
than originally planned.
- There is still a need to improve control over
the inputting and updating of data in the directories so they
remain complete and accurate. Some key elements of identity data,
mainly date of birth and gender, are stored incorrectly in some
departmental directories and in the WoVG directory. While this does
not impact on the overall operation of the Rosetta directory, it
does mean that additional work is required to validate new and
changed directory entries.
- The Rosetta system in its current form is
authoritative only as a ‘white page’ directory for government
employees. If the directory is to become an authoritative identity
management database, it will need to be reviewed and enhanced to
strengthen system integrity.
- The Rosetta directory provides a common platform
that can be used in future ICT systems developments. The GSG is
coordinating aspects of WoVG ICT developments to avoid new ICT
projects incorporating components that compete or conflict with
existing architectures, in particular those provided by
Rosetta.
- GSG has yet to finalise ICT standards for
identification, authentication and authorisation of system users
and for information classification. In the absence of these
standards, future ICT developments using Rosetta functionality are
likely to adopt inconsistent approaches to identity management and
information classification.
- The approved funding for Rosetta (Streams 1
& 2) was $16.8 million. Total actual costs on completion of the
project were $19.8 million. The cost overrun relates to operating
expenditure. Audit analysis indicates that the initial estimates of
the staff time and materials required to operate and maintain the
Rosetta directory were not realistic.
- The approved budget for the project did not
include the costs incurred by participating departments. Audit
estimates departmental project expenditure of more than $7.9
million, in addition to the $19.8 million incurred by Multimedia
Victoria (MMV).
- The three departments in our audit sample have
not completed an assessment of benefits realised, and while MMV has
completed a benefits realisation report, it is inadequate. In the
absence of a rigorous and comprehensive benefits realisation study,
audit is not able to give any assurance that Project Rosetta has
realised the benefits predicted in the business case.
- The arrangements for the ongoing support and
management of Rosetta at the WoVG level are appropriate. The GSG
has established ‘Rosetta Operations’ to manage and support the WoVG
directory.
1.3 Recommendations
- GSG should develop realistic timeframes for
future major ICT projects involving multiple agencies that:
- include a
realistic allowance for contingency, and
- take sufficient
account of other competing IT activities planned in the
participating agencies. (Recommendation 3.1)
RESPONSE provided by Secretary,
Department of Treasury and Finance
DTF agrees, in-principle, with this
recommendation. Whole-of-government projects, by their very nature,
are complex requiring the development of a robust and flexible
project plan that will allow for the identification of
contingencies and competing IT priorities, especially where there
is involvement from multiple agencies. It would be expected that a
regular review of the project plan could result in periodic changes
to certain underlying project assumptions, impacting on the
delivery of each key phase of the project delivery, and the
delivery of a project within a realistic timeline.
A post-implementation review of this project will identify
the areas for improvement, with any lessons learnt from the
delivery of this project to be applied to other cross-government
projects.
- Departments establish controls to:
- detect or
prevent erroneous data input into directories, and
- correct and resubmit data that has
been input erroneously.
(Recommendation 3.2)
- GSG review run-to-run control totals
and ensure completeness of WoVG directory file updates.
(Recommendation 3.3)
RESPONSE provided by Secretary,
Department of Treasury and Finance
DTF supports this recommendation. To
ensure completeness of updates to the WoVG directory file, the
following actions will be taken:
- file update indicators (as
managed by DTF) will be reviewed and strengthened; and
- departments
will be advised of their responsibilities in submitting updates to
the directory file.
- GSG establishes control procedures to
monitor system activities.
(Recommendation 3.4)
RESPONSE provided by Secretary,
Department of Treasury and Finance
DTF notes
this recommendation. Control procedures to monitor the activities
of the system are currently in place. However, where appropriate,
these internal control procedures will be reviewed and strengthened
to support the completeness and accuracy of the
database.
- GSG confirms that the methods for exchanging
Rosetta information within and between departments, and Rosetta
Operations, are compliant with departmental privacy requirements
and consistent with existing information classification standards.
(Recommendation 3.5)
RESPONSE provided by Secretary, Department of Treasury
and Finance
DTF notes this recommendation.
DTF believes that the method that has been used for exchanging
Rosetta information within departments, across departments and
across the Rosetta Operations is consistent and compliant with
applicable classification standards and privacy
requirements.
In
order to mitigate any concern about variability in the manner in
which some departments have implemented privacy requirements and
classification standards, DTF will review this process and
re-affirm with departments as to their responsibilities in this
area.
GSG ensures that for future
multi-agency, multi-year ICT infrastructure investments:
- full life-cycle cost estimation is undertaken at
the planning phase
- GSG works in conjunction with the
departments to make sure that common project charts of account and
accounting rules are established at each participating agency so
that development and recurrent costs are recorded
consistently
- forecast full cost to completion is updated
regularly and monitored to reconcile with the cost assumptions in
the original business case. (Recommendation
3.6)
RESPONSE provided by Secretary, Department of Treasury
and Finance
DTF agrees in-principle with
the recommendation. While departments are consulted when estimates
of full life cycle costs are developed, it is often difficult to
comprehensively establish actual project costs. A review of the
method by which the costs incurred for multi-agency projects are
determined will be undertaken in the near future, with lessons
learnt to be applied to future multi-agency and multi-year ICT
infrastructure projects. A review will also be undertaken to
determine a consistent method for developing and recording project
costs, including a reconciliation of approved project costs with
the approved business plan.
- GSG completes a robust and conclusive benefits
realisation study. (Recommendation 3.7)
RESPONSE provided by Secretary, Department of Treasury
and Finance
DTF advises that a benefits
realisation study has been undertaken for this ICT infrastructure
project however an additional study, which will show the cumulative
benefits, will be undertaken shortly.
- GSG finalises its business continuity planning
as a matter of priority. (Recommendation 4.1)
RESPONSE provided by Secretary, Department of Treasury
and Finance
DTF
agrees with the recommendation. The finalisation of the business
continuity planning will occur as a matter of priority.
- GSG should issue standards for information
classification.
(Recommendation 4.2)
RESPONSE provided by Secretary, Department of Treasury and
Finance
DTF
supports this recommendation. Work is currently being undertaken
which will result in the development of appropriate standards for
information classification, with these standards to be formally
issued for adherence upon completion.
- GSG should complete and issue standards for the
identification, authentication and authorisation of users, for the
recording and auditing of activities, and for the detection,
reporting and collection of evidence related to unauthorised access
to information or systems. (Recommendation
4.3).
RESPONSE provided by Secretary, Department of Treasury
and Finance
DTF
notes this recommendation. The development of appropriate standards
to mitigate unauthorised access to information or systems is
currently in progress, with these standards to be formally issued
for adherence upon completion.