Acquisition of capabilities

The acquisition of capabilities to enable and support business needs is an important activity within organisations and also in the larger ecosystem. This section focuses on information and guidance related to acquisition of business and technology capabilities by the stakeholders.

The audience for this section includes:

• Business Unit heads, CIOs, CISOs.
• Technology strategy and perspective planning team.
• Project management and procurement teams.
• Technical implementation teams.
• OEMs and System Integrators (SI), service and support providers, consultancy organisations, inspection and audit bodies.

Overview

All capabilities are acquired through project or incremental procurement based approach, using capital or revenue budgets. Business and technology capabilities typically have two major lifecycle stages:

• Acquire and Provision.
• Operate and Maintain.

The Acquire and Provision stage has a shorter lifespan of a few months, as compared to the Operate and Maintain stage, which typically extends into a few years for IT or tens of years for OT. A “Go-Live” event typically separates the two stages.

Government, public sector entities and large enterprises have two broad frameworks for acquisition of capabilities, namely, Detailed Project Reports (DPR) and Request for Proposal (RFP).

The DPR framework is used when the requirement is for large scale and complex use of IT for transformation of business functions. RFPs are more focused and are typically used for incremental improvement of business functions using IT.

Technology Strategy and Perspective Planning

A study of various DPRs indicate that they reflect the strategic direction of the organisations in the use of IT and cover a period of 7 to 10 years. However, each DPR is usually treated as a standalone document and the strategic thinking recorded in one DPR is not fully carried into other DPRs.

Entities may consider the development of a common “Technology Strategy and Perspective Planning (TS&PP)” document that captures the entity-wide strategic use of technology by the organisation. All DPRs and RFPs must then be aligned with the TS&PP document.

The following aspects of strategic direction that is typically recorded in the DPRs, may be moved into the TS&PP document:

• Mission, functions, business capabilities and business processes of the organisation.
• External context – other organisations with whom governance, business and IT-driven interactions are carried out. This should also include the likely sources of threats and liabilities created by the external partners.
• Internal context – organisational hierarchy and structure, sites and locations, line, staff and functional units, roles and responsibilities of departments and key personnel.
• Current state of use of IT and information security to support the business functions.
• Expectations from the use of IT in terms of enhancement of capabilities, efficiency, and effectiveness in carrying out the business functions.
• Expected or desired future state of use of IT and information security.

Some examples of strategic directions regarding the use of IT are given below:

1. Selection of data centre and cloud service providers:

• owned by the organisation.
• provided by a government-owned or public sector entity.
• provided by a private entity with India-based data centres.
• multi-country-based data centres.

2. Models of cloud deployment:

• IaaS
• PaaS
• SaaS
• XaaS

3. Data access concerns:

• data access is required only for India based users and systems.
• data access is required for users and systems located outside India.

4. Data localisation concerns:

• data can reside in any country.
• data can reside in any country, but one copy must reside in India for accessibility to regulatory and legal authorities.
• data must reside within India only and not move out of Indian jurisdiction.

5. Models of workforce supply chain:

• entity’s own employees.
• contracted employees hired from manpower provider entities.
• outsourced work to service providers using their own employees.

6. Data classification and handling methodologies for data that is created, stored, and shared in electronic form.

7. Information Security Assurance and ISMS:

• entities to have a trusted mechanism of internal and external audits, undertaken and reported by competent independent auditors.
• the audit scope, audit objectives, and audit criteria to be defined by the entity in consultation and direction of the concerned controlling / regulating body.
• the audit methodologies adopted to be in accordance with internationally accepted practices.
• the competency of the auditors to be ensured and ascertained through recognised trainings and evaluation criteria.

8. Information security capabilities to enable smart, resilient, and sustainable digital ecosystem.

9. Systems and security engineering lifecycle approaches.

10. Technologies, practices, and operating processes.

Enterprise Architecture

Organisations acquire off-the-shelf, custom-developed or SaaS-based business systems like ERP, CRM etc, to automate the business and industrial processes that deliver their business needs. The business systems run on underlying technology systems, which may be off-the-shelf, custom-built or in the cloud.

A well-defined and well-designed architecture is crucial for the long-term resilience of an organisation’s business and technology systems. The mandatory governance, risk, compliance, and audit requirements prescribed by the regulators and nodal bodies are best achieved when they are embedded into the enterprise business and technology architectures of the entities.

The Enterprise Architecture Framework provides common information and guidance to create good architecture documents for use by various stakeholders responsible for design, engineering, implementation, maintenance and incremental enhancements of systems.

Enterprise architects are the best people to create the business and technology architectures. The Technology Strategy and Perspective Planning Group may be assigned responsibility for its creation, periodic review and update. The group should also advise the advise the top management on providing the required strategic direction. Once accepted by the top management, the architecture can be used as a common base framework in DPRs and RFPs.

Ontology of Tags

Entities use a wide variety of methods to depict and describe their enterprise business and technology architectures. However, there is no commonality on this aspect amongst the CSEs of different sectors.

The ontology of tags provides a common mechanism for business and technical managers to express distinct characteristics or features of various architectural elements. The common ontology helps different stakeholders to evaluate the impact, risk, compliance, governance, security, monitoring, and oversight aspects of the architecture elements. A combined view of all the evaluations can help the top management to decide and direct the most appropriate use of IT and prioritisation for investments.

The business and technology operation levels of the entity hierarchy can further use the ontology of tags to evaluate, decide, design, procure, implement, deploy, operate, manage, support, and monitor the digital ecosystem resources over their operating lifecycle.

The common ontology also helps the Government ministries, regulators, and national nodal bodies to focus their policies, regulations, oversight, and monitoring mechanisms on the vital components of the enterprise architecture.