You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Information
Download PDF
  • Article
  • Open Access

29 September 2020

Information and Communication Technology (ICT) Governance Processes: A Case Study

,
,
,
,
,
,
and
1
Department of Computer Science, University of Brasília (UnB), P.O. Box 4466, Brasília DF CEP 70910-900, Brazil
2
National Science and Technology Institute on Cyber Security, Department of Electrical Engineering, University of Brasília (UnB), P.O. Box 4466, Brasília DF CEP 70910-900, Brazil
3
General Coordination of Information Technology (CGTI), Administrative Council for Economic Defense (CADE), Brasília DF CEP 70770-504, Brazil
*
Author to whom correspondence should be addressed.
Information2020, 11(10), 462;https://doi.org/10.3390/info11100462
Version Notes
Order Reprints
Review Reports

Abstract

Information and Communication Technology (ICT) Governance is increasingly necessary and present in organizations aiming to improve the maturity of their ICT processes. This paper presents an analysis of the ICT Governance processes of a Brazilian Federal Public Administration agency. To assess the maturity of the ICT Governance processes, we surveyed and diagnosed the processes performed by the agency and organized a series of meetings/discussions to assist in the improvement and modeling of the processes related to the ICT Contract Planning process. As a result, we proposed improvements and identified the maturity level of the existing ICT processes, also assessing the awareness of employees of the General Coordination of Information Technology regarding these processes. Our findings reveal that the agency still needs to implement the following processes: (1) ICT People Management; (2) Business Process Modeling (Automated/to Automate); (3) Change Management; (4) Execution Monitoring of the ICT Projects and Services Portfolio; and (5) ICT Service Continuity Management. We also identified several artifacts that need to be implemented by the agency in different processes and collected survey participants’ suggestions about new processes to improve the maturity in ICT Governance.

1. Introduction

With well-defined governance processes, organizations can gain a strategic advantage over others as they systematically evaluate and improve their processes and services, leading the organization to perform better and, consequently, to be more competitive. There is a link between Information and Communication Technologies (ICT) and improved governance, providing a competitive advantage for organizations and citizens. The adoption of adequate and mature ICT processes, allows managers and their employees to provide services with quality and transparency, especially in relation to the management of public ICT resources [1]. In this context, stakeholders need to manage, measure, and monitor the ICT goods and services offered to citizens. In addition, the decentralization of ICT services should allow the use of practices that improve the supervision and accountability of poor management of ICT resources by the Federal Public Administration, considerably mitigating the monopoly of information by some stakeholders [2].
ICT Governance should be understood as the use of well-aligned processes to improve the governance of ICT resources by all stakeholders, including business, government, and citizens alike. Improvements in ICT Governance incorporates improvements, among others, on the respect for organizations in a country, citizen participation, and the delivery of quality public goods and services. Thus, ICT processes in organizations, whether public or private, are a basic factor to achieve better efficiency, effectiveness, and competitiveness, since there is no ICT product or service without an associated process or practice [3].
Therefore, understanding how organizations manage their activities and how they formulate and align their ICT processes, becomes an essential factor for organizational success. Thus, this work aims to diagnose the ICT practices and processes of a Brazilian Federal Public Administration agency, named the Administrative Council for Economic Defense (Conselho Administrativo de Defesa Econômica (CADE)). A diagnosis of ICT processes is important to identify the processes that CADE needs to implement in order to manage its ICT resources and improve their performance. In addition, CADE needs to improve its ICT processes, optimize the use of ICT resources and reinforce best practices in relation to ICT management so that the organization can achieve its goals and excel in providing services to other government agencies and the citizens. The main goal is to analyze and verify the ICT processes of CADE’s General Coordination of Information Technology (Coordenação-Geral de Tecnologia da Informação (CGTI)) and to carry out a compliance analysis of the ICT Solutions Contract Planning process with the rules that govern ICT solutions outsourcing within the scope of Information Technology Resources Management System (http://www.sisp.gov.br/) (Sistema de Administração dos Recursos de Tecnologia da Informação (SISP). The diagnosis and conformity analyses were carried out by the research team from the University of Brasília (UnB) (Decision Technologies Laboratory—LATITUDE), together with CGTI staff members, using a multi-methods approach [4]. The approach used strategies that involve data collection to better understand the problems in the investigated context. The data collection involved both quantitative and qualitative information and were carried out through a survey with employees of the agency and interviews with stakeholders.
The main contribution of this work was to identify the current scenario of CADE in relation to its ICT Governance processes, mainly in relation to the processes already implemented, as well as ICT processes that need to be fully implemented. The artifacts of each ICT process were also evaluated, in order to allow CADE to have an ICT Governance maturity level appropriate to the needs of the Federal Public Administration (APF). In addition, we carry out a compliance analysis and propose improvements in the modeling of the ICT Solution Contract Planning process, in accordance with the normative instructions in force in the country. Our findings allowed CADE to define and prioritize the ICT processes that need to be implemented to improve its performance in the provision of ICT services.
This article is organized as follows. Section 2 presents the contextualization of the concepts of Governance, Risk Management, and ICT Services Outsourcing (ITO), as well as related works. Section 3 presents the methodology used to perform this research. Section 4 presents the results obtained in this research, as well as a discussion about its results and the lessons learned during it. Section 5 presents threats to the validity of the results. Finally, Section 6 presents the conclusion of this work, as well as suggested future work.

3. Methodology

We followed a multi-methods approach with a sequential exploratory strategy [4]. In the first step, we gathered a set of data from CADE’s ICT processes and their respective artifacts. We conducted an analysis of the processes and rules and laws that regulate the provision of services by government agencies in Brazil, in order to identify the compliance of these processes with Brazilian law. After data collection, we performed an analysis of the ICT processes. From the results of the analysis, we performed the modeling of the respective processes and suggest some improvements in the flow of activities. In the second stage, we conducted a survey with CADE’s employees to identify their perception of the ICT processes that the agency had implemented and or needed to implement. In the third stage, we conducted some interviews with CADE’s stakeholders to discuss the results of the process analysis and survey. As a result, we suggest some processes to be implemented, as well as the sequence in which they should be implemented.
We conducted the case study at the General Coordination of Information Technology (CGTI) of the Administrative Council for Economic Defense (CADE) (http://en.cade.gov.br/), which is a federal autarchy, linked to the Ministry of Justice, with headquarters and venue in the Federal District, which exercises, throughout the national territory, the attributions given by Law number 12529/2011. CADE’s mission is to ensure free competition in the market, being the entity responsible, within the scope of the Executive Branch, not only for investigating and ultimately deciding on competitive matters but also for promoting and disseminating the culture of free competition. CADE’s duties are defined by Law number 12529, of 30 November 2011, and complemented by CADE’s Internal Regulations, approved by Resolution number 20, of 7 June 2017. CADE has three functions:
(1)
Preventive: analyze and subsequently decide on mergers, acquisitions of control, incorporations, and other acts of economic concentration between large companies that may put free competition at risk;
(2)
Repressive: to investigate, throughout the national territory, and later to judge cartels and other harmful conduct to free competition;
(3)
Educational: instructing the general public about the various behaviors that may hinder free competition; encourage and stimulate academic studies and research on the subject, establishing partnerships with universities, research institutes, associations, and government agencies; conduct or support courses, lectures, seminars, and events related to the subject; edit publications, such as the Competition Law Magazine (Revista de Direito da Concorrência) and booklets.
CADE’s CGTI is responsible for decisions related to ICT Governance with regard to Information and Communication Technology Contracting Planning (PCTIC).
The organizational structure of CADE, according to the Internal Regulations, is composed of the agencies of direct and immediate assistance to CADE’s President; sectional agencies; specific and singular agencies and, a collegiate agency. Among the sectional agencies, there is the Directorate of Administration and Planning (DAP) which, in order to fulfill its powers, is divided into coordinations, among them, the General Coordination of Information Technology (CGTI). CGTI is the sectional unit responsible for managing CADE’s Information and Communication Technology, as shown in Figure 1. CGTI is composed of the following units: Information Technology Infrastructure Service (SESIN); Information Systems Service (SESIS); Management and Governance Services (SEGOV); and Information and Communication Security Service (SESIC).
Figure 1. CADE’s General Coordination of Information Technology organizational structure.

3.1. Compliance Analysis

The case study was carried out at CADE to analyze the modeling of the Master Plan for Information and Communication Technology (PCTIC) processes, which aims to ascertain the alignment of the contract’s request with CADE’s PDTIC, as well as to perform a comparative analysis of solutions and costs, thus ensuring the optimal use of CGTI resources. The purpose of the processes’ analysis was to verify the compliance of the PCTIC with the Normative Instructions (IN) 01/2019, published on 4 April 2019, and IN202/2019, published on 18 September 2019 [46].
After performing the compliance check, we discussed with the CGTI about which processes should be performed concerning the planning of ICT outsourcing so that all activities of this process are carried out following the processes proposed by IN01/2019 and the CADE’s internal regulations. Thus, the mapped processes provide the necessary information so that CGTI can, in an organized and appropriate manner, define how inputs and materials will be transformed into outputs by the responsible operating unit. In general, the mapped processes make it possible to structure the execution of activities that will be developed by CGTI, always aiming at simplifying, analyzing, and improving the execution of each of CGTI activities, as a way of articulating the permanent search for improvement and performance of ICT Governance, both by the CGTI and by its employees.

3.2. Survey with CGTI Employees

We conducted a survey with CGTI employees to verify what knowledge they had of the ICT Governance processes proposed by Canedo et al. [7,47]. The survey was designed according to the one proposed by Kitchenham et al. [48] and had two stages: (1) the first stage to collect demographic information from the participants; and (2) the second stage with 39 closed questions and an open question to check the knowledge of employees regarding the ICT Governance processes and artifacts. The survey’s questions can be accessed at this URL: https://leomarcamargo.github.io/survey-cade/index.html. In total, all of the 10 CGTI employees responded to the survey, and Table 1 presents the profile of all respondents, in which 60% of CGTI employees were between 41 and 50 years old and 40% between 31 and 40 years old. Ninety percent were men, and only one respondent was a woman (10%). Twenty percent worked at CADE between 5 and 7 years, 40% between 2 and 4 years, and up to 1 year, respectively. In addition to the survey, we conducted interviews with CGTI stakeholders to discuss the results found with the survey in order to understand and resolve some conflicts identified during the analysis of the results.
Table 1. Profile participants.

4. Results and Discussion

4.1. Suggestions for Improvements in the Information and Communication Technology Outsourcing Processes

The planning for outsourcing Information and Communication Technology (ICT) solutions aims to ensure alignment of the request to the Information and Communication Technology Master Plan (PDTIC), as well as to perform a comparative analysis of solutions and costs, thus ensuring optimal use of resources. In modeling the processes related to the contracting of ICT solutions, CGTI acts as the ICT area, the sectorial unit responsible for managing Information and Communication Technology and for the planning, coordination, and monitoring of actions related to the ICT solutions of the agency. It must follow the Normative Instruction (IN) IN01, which regulates the process of contracting ICT solutions by the agencies and entities that are part of the Federal Executive Branch’s SISP.
The process of contracting ICT solutions must follow the following phases: (1) Planning of contracting; (2) selection of the supplier; and (3) contract management, in parallel to these phases, risk management activities must be carried out, as shown in Figure 2.
Figure 2. Phases of the Information and Communication Technology (ICT) solutions contracting process.
The Contracting Planning process begins with the CGTI receiving the Demand Officialization Document (DOD), prepared by the solution’s Requesting Area, and is concluded with the preparation of the Terms of Reference/Basic Project. The Contracting Planning phase consists of three phases, the institution of the Contracting Planning Team, the preparation of the contracting Preliminary Technical Study, and the preparation of the Terms of Reference/Basic Project.
The Supplier Selection process begins with the Terms of Reference or Basic Project being sent by the Contracting Planning Area to the Bidding Area, and it ends with the publication of the bidding result after the award and approval. It is the responsibility of the Bidding Area team to conduct the main activities of this process. The ICT solution Contract Management process begins with the receipt of the Approved Contract to be signed. This process includes activities to initiate the contract, sign the contract, and execute the Service Order (OS) or Order for the Supply of Goods (OFB). As for the Risk Management process applied to ICT contracting, the purpose is to define the stages of preparation of the Risk Management Map, which must contain, at least: (1) the identification and analysis of the main risks; (2) the assessment and selection of the risk response according to the agency’s risk tolerance; and (3) the registration and monitoring of risk treatment actions.
We suggest improvements in modeling in all phases of the process of contracting ICT solutions, checking the compliance of each activity with Normative Instruction IN01 and its respective updates, IN202 and IN40, and also adapting the flows to CADE’s practices and reality. An example of the improvements suggested by the research team to the agency is presented in Figure 3 and Figure 4, which demonstrate the changes made in one of the Contract Management sub-processes, in the OS/OFB Execution sub-process.
Figure 3. Initial execution of the Service Order (OS)/Order for the Supply of Goods (OFB).
Figure 4. Execution of the OS/OFB with the suggested improvements.
The changes in the OS/OFB Execution sub-process, shown in Figure 4, consist of 5 new activities, 2 new decision gateways, and 1 new artifact, all indicated in light yellow. The gateways were added to better indicate the two possible results of the processes “Check incidence of disallowance or sanction” and “Check tax, labor, and social security compliance”. The absence of at least two possible results, the existence or not of disallowance, regularity, or irregularity, made these activities meaningless. Thus, the two decision gateways and the 4 processes resulting from their results allow the operationalization of these important checks in the process. The last activity added, “Create Payment Checklist”, refers to the implementation of a compliance checkpoint when moving the process from one area/responsible to another. In the case of the OS/OFB Execution sub-process, the Technical Inspector creates and fills in the Payment Checklist, a new artifact that allows the compliance control of the items of the Definitive Receipt Terms, which will be forwarded to the Administrative Inspector. This new practice increases transparency between areas and makes it possible to establish more clearly the responsibilities for the results of each activity in the process.

4.2. Diagnosis of ICT Governance Processes

This section presents the results obtained in the survey with the responses of CGTI employees. We divide the analysis by the maturity levels of the ICT Governance processes. In Section 4.2.1, the analysis of the basic ICT processes is presented, which have a Capability Maturity Model Integration (CMMI) maturity level equal to 2 [7]. In Section 4.2.2, we present the analysis of the intermediate processes, which have a maturity level of 3 [7], and, finally, in Section 4.2.3, the analysis of advanced processes with a maturity level of 4 and 5 is presented [7].

4.2.1. Basic ICT Processes

Regarding the processes that include the basic ICT processes for agencies with little or no maturity in ICT, only the ICT People Management process, and its artifacts (Talent Bank; Skills and Competencies; and Role and Responsibility Definition Form) are not implemented at CADE. The Information Technology Master Plan (PDTI) is the process best known to employees, except for a single respondent.These results support the findings of Freitas et al. [49], which affirm that in order to minimize the risks in ICT resource management, all participants must know their in an organization’s PDTI and execute its activities, following the principles and goals defined in the PDTI. All employees who claim to have up to one year of experience at CADE are unaware of the existence of the Catalog of Computerized Systems (Catalog of ICT Services—Form with the Responsible for ICT and Business Areas and Catalog of ICT Services), indicating an alert for the current process of integrating new employees and the CGTI’s team. Figure 5 shows the basic ICT processes that the agency has implemented, according to the responses of the participants.
Figure 5. Basic ICT processes.
Regarding the ICT Committee process artifacts, only 30% of respondents, the CGTI Coordinator, the Responsible for ICT Governance, and an ICT Analyst, is aware of all the process artifacts, namely: Internal Creation Standard of the ICT Committee, Internal Rules of the ICT Committee, and Minutes of the ICT Committee meeting. Among all ICT Analysts, a function that represents the majority of respondents, only one has knowledge of all artifacts. The Internal Standard for the Creation of the ICT Committee is the most familiar artifact among respondents, 70% of whom claimed to know its existence, as shown in Figure 6a. Regarding the artifacts of the ICT Projects and Services Portfolio process, all respondents said they knew the existence of the ICT Projects and Services Prioritization Criteria artifact. Only 1 survey participant, who has the role of ICT Administrative Assistant, stated that the artifact ICT Projects and Services Portfolio Performance Report is implemented by the agency, as shown in Figure 6b. This finding leads us to believe that this artifact is probably not implemented by CADE and needs to be implemented since it is part of the group of basic processes and artifacts that an agency must have in order to be at least at level 2 of maturity in its ICT Governance processes. As stated by Silva et al. [3], the basic ICT processes must all be implemented by an organization so that it has the minimum maturity required to provide ICT services.
Figure 6. (a) The ICT Committee process artifacts; (b) the ICT Projects and Services Portfolio process artifacts.
Although the ICT People Management process (Talent Bank; Skills and Competencies; and Role and Responsibility Definition Form) is not implemented in the agency, as all respondents stated in relation to the basic processes that the agency has implemented, two respondents (20%—the head of ICT Governance and an ICT Analyst) stated the existence of the CADE’s Roles Definition Form artifact, as shown in Figure 7a. This answer allows us to conclude that the two respondents did not express the reality of the agency, since the same respondents stated that this process does not exist in the question that addressed the implementation of the process. According to Adam et al. [50], all organizations need to implement the ICT People Management process to ensure the quality of human resources in carrying out ICT activities. In the artifacts of the PDTI process, 60% of respondents stated that the agency has 10 or more artifacts implemented, out of a total of 12 artifacts existing in this process. 20% of CGTI workers stated the existence of all artifacts. Among the 12 artifacts, the least known by the survey respondents is the SWOT Analysis Model, in which only 40% of the participants stated that it was implemented in the agency, as shown in Figure 7b.
Figure 7. (a) The ICT People Management process artifacts; (b) the Information and Communication Technology Master Plan process artifacts.
Regarding the Computerized Systems Catalog (ICT Services Catalog) process, 70% of respondents stated that the agency has the ICT Services Catalog artifact. Among them, 30% also affirm the existence of the Form with the Heads of ICT and Business Areas, as shown in Figure 8a. In the artifacts of the Software Development process (Quality Management, Configuration), 40% of respondents stated that the agency has the Quality Management Plan and the Test Plan. For 30% of respondents, the agency also has the Requirements Traceability artifact. The artifact Software Development Process is known to 80% of respondents, as shown in Figure 8b. A single respondent stated that the Solution Maintenance Plan artifact is in place, which may be a warning about whether this artifact is actually implemented in the agency. There are several works in the literature [3,51,52,53,54] which assert the importance of organizations having a well-defined software development process, especially in relation to government agencies, which require maturity level 3 for an organization to be able to provide software development services to any agency of the Brazilian Government.
Figure 8. (a) The Computerized Systems Catalog (ICT Services Catalog) process artifacts; (b) the Software Development (Quality Management, Configuration) process artifacts.
Regarding the analysis of the basic ICT processes, we can conclude that only the ICT People Management process and its respective artifacts (Talent Bank (Skills and Competencies) and Role and Responsibility Definition Form) are not implemented in the agency. In addition, the ICT Projects and Services Portfolio Performance Reports artifact of the ICT Projects and Services Portfolio process and the Solution Development Maintenance Plan for the Software Development process (Quality Management, Configuration) are also not implemented in the agency.

4.2.2. ICT Intermediate Processes

In relation to the processes that contemplate the intermediate ICT processes, which are those that, once implemented, enable the agency to evolve to an intermediate level of maturity—level 3. The most known process among CGTI employees was the ICT Goods and Services Contracting process (Manage Software Acquisitions), in which 90% of the workers stated that the agency has this process in place, followed by the ICT Contract Management Process, known by 70% of respondents. The ICT Risk Management processes, Computerized Systems Catalogs (ICT Services Catalog—Service Level Agreement, Metrics, and Indicators for Service Performance and Service Level Agreements.), Information Security Risk Management and Software Development Process (Quality Management, Configuration) are known to 50% of survey respondents. Only two respondents claimed to know the existence of the Business Process Modeling (Automated/to be automated) and Change Management processes, as shown in Figure 9. This finding may indicate that these two processes are not actually implemented by the agency.
Figure 9. Intermediate ICT processes.
In the ICT Risk Management process, respondents stated that the agency has all the artifacts of this process, namely: ICT Risk Management Plan, ICT Risk Management Policy, and Information and Communication Security Policy. The information and communication security policy artifact is known to 90% of respondents. Only one respondent (10%) stated that he did not know if the artifacts of this process are implemented by the agency (Not Applicable), as shown in Figure 10a. Kim [55] presented a study discussing the implementation of ICT Governance and its effects on public organizations and the importance of the risk management process in the Korean government. Our study presents results similar to those of the author since almost all CADE employees know and understand the importance of the risk management process. Regarding the ICT Goods and Services Contracting process (Manage Software Acquisitions), there was a uniformity in the responses, the agency has all the artifacts presented (Demand Officialization Document, Model of the Terms of Commitment, Model of the Acknowledgment and Terms of Reference or Basic Project), according to 90% of respondents, as shown in Figure 10b.
Figure 10. (a) The ICT Risk Management process artifacts; (b) the ICT Goods and Services Contracting process (Manage Software Acquisitions) artifacts.
The Business Process Modeling (Automated/to be automated) process is not implemented in the agency, according to 80% of respondents. Strangely, two respondents (20%) stated that the agency has the artifact Form for Defining Roles, Responsibilities, Access Privileges, and Authority Levels implemented, as shown in Figure 11a. Since one of this two respondents stated that the process is not implemented, but that its artifact is, we can conclude that this process and all its artifacts (Form for Defining Roles, Responsibilities, Access Privileges, and Authority Levels; Business Process Modeling Simplification Document) are not implemented in the agency. Fritsch [56] stated in his research that for an organization to have a sustainable life cycle, all its business processes must be modeled, using standard notation, so that all employees of the organization know their activities and responsibilities in relation to the ICT services that the organization offers to its users.
Figure 11. (a) The Business Process Modeling (Automated/to be automated) process artifacts; (b) the Computerized Systems Catalog (ICT Services Catalog) process artifacts.
Regarding the Computerized Systems Catalog (ICT Services Catalog) process, 60% of respondents stated that the agency has implemented the Metric and Indicators for Service Performance and Service Level Agreements artifacts, and 50% of respondents said that the Service Level Agreement artifact is implemented at CADE. For 40% of respondents, the agency does not have any of the two process artifacts implemented, as shown in Figure 11b. In the Incident and Problem Management Process (Service Desk) the Knowledge Base artifact is the best known among respondents (70%). The Incident Reports and their Status, Service Request, and Incident Report and Corrective Action Report artifacts are known to 40%, 30%, and 20% of respondents, respectively. The Incident Management Plan and Problem Management Plan artifacts are known to only one survey respondent, as shown in Figure 12a. This finding leads us to conclude that these two artifacts are not implemented by the agency.
Figure 12. (a) The Incident and Problem Management Process (Service Desk) artifacts; (b) the Information Security Risk Management process artifacts.
Regarding the Information Security (IS) Risk Management process, 60% of the respondents chose to check “Not applicable”, not knowing any of the artifacts of the process. Forty percent of respondents, including the CGTI Coordinator and the Responsible for ICT Governance, stated that the agency has the Information Security Risk Management Plan artifact, as shown in Figure 12b. Thus, we can conclude that the IS Category and Parameter Form and IS Risk Treatment Plan artifacts are not implemented in the agency.
In the Software Development Process (Quality Management, Configuration), 60% of the respondents stated that the agency has the Artifact Metrics of Quality Measurement Report, which is the best known among survey participants, followed by the Document of Measurements and the Report on Quality Standards, Practices and Procedures, both known to 50% of CGTI workers. The Configuration Audit Plan and Baselines, and the Improvement Plan artifacts are known to only 10% of CGTI employees, as shown in Figure 13a. This finding shows that these two artifacts are not implemented at the agency. For 60% of respondents, the Change Management Process artifacts are not implemented by CADE, although the Change Management Plan and Configuration Management Plan artifacts have been recognized by 20% of respondents, and only one respondent stated that the agency has the Change Report, as shown in Figure 13b.
Figure 13. (a) The software development process (Quality Management, Configuration) artifacts; (b) the Change Management Process artifacts.
In the Manage ICT Assets (Hardware, Licenses, and Costs) process, the most known artifact among respondents is the ICT Assets Report (80%), followed by the ICT Licenses Report (70%). Fifty percent of respondents stated that the agency has the Indicators and Metrics artifacts to Manage Hardware Assets Capacity and Performance and the Hardware Assets Performance Report. Only 20% of respondents know the License Management Plan, as shown in Figure 14a.
Figure 14. (a) The Manage ICT Assets (Hardware, Licenses and Costs) process artifacts; (b) the ICT Contract Management process artifacts.
The ICT Contract Management process is the most popular among CGTI workers, four of the ten artifacts in the process are known to 90% of respondents, namely: (1) Terms of Reference or Basic Project; (2) Services or Supply of Goods Orders; (3) Provisional Receipt Terms; and (4) Final Receipt Terms. Only 20% of the servers claimed to know only 2 or 3 artifacts. The Supplier/Contractor Performance Report and Indicators and Metrics to measure results are the least known by the participants, only 30% of respondents stated that the agency has it, as shown in Figure 14b.
Based on the survey findings in relation to the intermediate ICT processes, we can conclude that the processes: (1) Business Process Modeling (Automated/to be automated) and (2) Change Management Process, as well as all of its artifacts, are not implemented at CADE. In addition, the artifacts (a) Incident Management Plan and (b) Problem Management Plan for the Incident and Problem Management process (Service Desk); (c) Categories and Parameters Form for IS Risks; (d) IS Risk Treatment Plan for the Information Security Risk Management process; (e) Configuration Audit Plan and Baselines; and (f) Improvement Plan for the Software Development process (Quality Management, Configuration) are also not implemented by the agency.

4.2.3. Advanced ICT Processes

Regarding the processes that contemplate the advanced ICT processes for the agencies that wish to evolve to an improved stage of maturity, that is, to level 4 or 5, only the ICT People Management (Metrics to Evaluate Performance and Training Plan) process and Change Management (Causal Analysis Report) process and all its artifacts are not implemented in the agency. 30% of respondents do not know any of the advanced ICT processes. Another 30% claim that the agency has 6 out of 8 advanced ICT processes. The Information and Communication Security Policy process is the most well-known process among CGTI employees (80%), followed by the ICT Security Committee process (70%). The ICT Contract Management process is known to 50% of respondents. Only 20% stated that the ICT People Management (Metrics to Assess Performance and Training Plan) process is implemented by the agency, as shown in Figure 15.
Figure 15. Advanced ICT processes.
In the ICT People Management (Training, Performance, Roles and Responsibilities) process, 70% of respondents stated that the agency has the Training Plan artifact. The Metrics to Evaluate Performance artifact are known to only 20% of respondents, as shown in Figure 16a. This finding leads us to conclude that this artifact is not implemented by the agency. Regarding the process of Monitoring the Execution of the ICT Projects and Services Portfolio, 20% of the respondents said that the agency has the artifact Performance Reports of the ICT Projects and Services Portfolio and the other respondents (80%) chose by checking “Not applicable”, as shown in Figure 16b. These responses are at odds with the question that addresses the advanced ICT processes, in which 4 participants stated that this process was implemented by the agency, but, with the analysis of the process artifacts, we can conclude that this process is not implemented by the agency.
Figure 16. (a) The ICT People Management (Training, Performance, Roles, and Responsibilities) process artifacts; (b) Monitoring the Execution of the ICT Projects and Services Portfolio process artifacts.
In the ICT Security Committee process, 40% of respondents stated that the agency has all the implemented artifacts. The ICT Security Committee Internal Standard Creation artifact is known to 60% of respondents, followed by the ICT Security Committee Internal Regulation artifact (50%) and right after the ICT Security Committee Meeting Minutes artifact (40%). Only 30% of respondents stated that the artifacts do not apply, as shown in Figure 17a. In the ICT Services Continuity Management process, 70% of respondents chose to check “Not Applicable”, only 20% said the agency has the Service Continuity Plan artifact, and 10%, a single respondent, said that the agency has the Service Continuity Policy artifact, as shown in Figure 17b. Thus, we can conclude that the agency does not have this process and its artifacts implemented.
Figure 17. (a) The ICT Security Committee process artifacts; (b) the ICT Services Continuity Management process artifacts.
Regarding the Information and Communication Security Policy process, 40% of respondents stated that the agency has the artifacts: (1) Information Classification Form; and (2) Form for Defining Roles and Access Privileges. The Information and Communication Security Policy artifact is known to 90% of respondents, as shown in Figure 18a. Regarding the ICT Project Management process, the most known artifact among respondents is the Project Prioritization Criteria (70% of respondents know it). The artifacts: (1) Priority Projects Report; and (2) Project Scope Management Plan are known to 50% of CGTI employees. Out of the 14 artifacts in the process, 10 are known to 20% to 40% of respondents, namely: (1) Project Integration Management Plan; (2) Project Time Management Plan; (3) Project Cost Management Plan; (4) Project Quality Management Plan; (5) Project Communications Management Plan; (6) Project Risk Management Plan; (7) Project Procurement Management Plan; (8) Project Stakeholder Management Plan; (9) Projects Management Plan; (10) Project Performance Report. The Human Resource Project Management Plan artifact is known to only one respondent, as shown in Figure 18b. Therefore, we can conclude that this artifact is not implemented by CADE.
Figure 18. (a) The Information and Communication Security Policy process artifacts; (b) the ICT Project Management process artifacts.
In the ICT Contract Management process 40% of the respondents said that the agency has the Product Validation Criteria and Methods artifact, 20% know the Product and Components Validation Report artifact. The other respondents, 50%, stated that the agency does not have these artifacts, choosing to select the option “Not applicable”, as shown in Figure 19a. This result may be a warning factor regarding the implementation of these artifacts at CADE. As noted in the responses related to the advanced ICT processes, CADE does not have the Change Management process in place. Thus, it also does not have the Causal Analysis Report artifact, according to 100% of respondents, as shown in Figure 19b.
Figure 19. (a) The ICT Contract Management process artifacts; (b) the Change Management process artifacts.
The survey findings in relation to the advanced ICT processes, allow us to conclude that the processes: (1) Change Management and its artifact, Causal Analysis Report; (2) Monitor the Execution of the ICT Projects and Services Portfolio and its artifact, ICT Projects and Services Portfolio Performance Reports; and (3) ICT Services Continuity Management and its artifacts, Service Continuity Plan, and Service Continuity Policy are not implemented at CADE. In addition, the Metrics to Assess Performance of the ICT People Management process artifact, and the Human Resources Management Plan artifact of the ICT Project Management process are not implemented by CADE.
The survey also addressed other issues related to the creation of a working group and the deadlines required to implement the processes at CADE. Thus, 80% of CGTI employees totally agree with the institution of a working group with the objective of implementing the processes most appropriate to the ICT maturity of the agency. Twenty percent were neutral, as shown in Figure 20a. Regarding basic, intermediate, and advanced maturity processes, 90% of the respondents stated that they will contribute to the improvement of the ICT Governance processes at CADE, as shown in Figure 20b, and 80% agree that the maturity processes that were presented are in line with CADE’s reality, as shown in Figure 21b. In addition, the respondents presented some processes that they consider that were not addressed in the survey, in the basic, intermediate and advanced processes, namely: (1) Stakeholder Management; (2) Communication (not related to projects); (3) DevOps (a set of practices and cultural values that aims to reduce the barriers between development and operations teams) [57]; (4) Machine Learning Operations or DevOps for Machine Learning (MLOPS) [58]; (5) Data Governance [59]; and (6) Compliance (External Requirements and LGPD) [60,61,62,63], as shown in Figure 21a. These findings lead us to conclude that it is really necessary to add these processes and their respective artifacts to the set of ICT processes to measure the level of ICT Governance maturity of an agency.
Figure 20. (a) The perception of CGTI workers in relation to the institution of a working group to implement ICT processes at CADE; (b) the perception of CGTI workers in relation to whether the ICT processes presented will contribute to the improvement of ICT Governance processes at CADE.
Figure 21. (a) The artifacts suggested by CGTI workers to be added to the CADE context; (b) the perception of CGTI workers in relation to the adherence of ICT processes to CADE.
Regarding the possibility of implementing the maturity processes presented at CADE, 80% of the survey respondents agree that it is possible to implement the processes at CADE, only one (10%) disagreed. Forty percent of respondents disagree that the agency has human resources to implement and monitor the ICT maturity processes and 40% were neutral. Only 20% stated that the agency has enough staff to implement the ICT processes. Regarding the desired time to implement the processes presented, 70% of the respondents indicated 6 months to implement the basic processes, 60% opted for 12 to 18 months for the intermediate processes, and for the advanced processes, 12 months was stated by 80% of respondents.
Only 20% of CGTI employees said they did not know the Information and Communication Technology Master Plan (PDTIC), and 50% said they knew CADE’s Information and Communication Technology Governance Policy (PGTIC). All respondents (100%) claimed to know CADE’s Information and Communications Security Policy (POSIC).

5. Limitations and Threats to Validity

Although the results of this research have been shown to be satisfactory, it presents threats to its validity that cannot be disregarded, since different problems can be caused during the participation of CADE’s employees in carrying out the survey.
The target population of the diagnosis was a small group of participants, considering the size of CADE’s CGTI team, which facilitates the control of the survey application methodology. This contributes to standardize the reproduction of the applied methodology, which can lead to similar results in different contexts. In addition, it is important to note that the qualitative information of the data may vary, as it does not depend on the way the methodology was applied, since the way respondents react to a survey, depends on the context in which they are inserted. Thus, questions related to the respondent’s context can lead to divergent answers, even when we use the same application methodology.

5.1. Internal Validity

The application of the Diagnostic Questionnaire to identify the ICT Governance processes at CADE may not represent the real scenario in relation to its maturity, as well as not presenting all the artifacts that portray the CADE scenario. In response to the questionnaire, some CGTI participants were contradictory in relation to some questions. In order to mitigate this threat, we conducted meetings with the CGTI coordinator and the Responsible for ICT Governance to discuss the survey results and consolidate the participants’ view of all processes and artifacts.

5.2. External Validity

The representativeness of the population (the variety of participants) who responded to the survey was very small since CADE has few employees at CGTI—only 10 employees—and all of them responded to the survey. One way to mitigate this threat would be to reproduce this study with all CADE employees, for example, to include all CADE departments and outsourced employees and to compare their perception of the processes identified by CGTI employees. In addition, it is important to carry out new diagnostics in other federal public administration agencies, with the aim of verifying the adherence of ICT processes and artifacts in different organizations, with specific ICT contexts and needs.

5.3. Construct Validity

The distribution of the set of participants regarding the functions or positions of the participants in CADE may affect the results; however, most responses were obtained by positions of leadership or those responsible for the ICT processes. It is important to highlight that there is a risk that the answers are true but not consistent with the practice, such as affirming the existence of a process or artifact in which it formally exists on paper and that in practice, CADE does not execute it.

6. Conclusions

In this work, we carried out an analysis of the ICT Solution Contract Planning processes and proposed improvements in these processes so that different activity flows are adapted to CADE’s practices and reality. In addition, we carried out a diagnosis in the ICT processes of a Federal Public Administration agency in which we identified several processes and artifacts that were not implemented by the organization, such as the ICT People Management process and its respective artifacts, as well as the ICT Project and Service Portfolio Performance Report artifact that belongs to the ICT Project and Service Portfolio process and the Solution Maintenance Plan artifact for the Software Development process (Quality Management, Configuration).
Despite this, the results showed us that more than half of the respondents are aware of the existence of other processes, such as the ICT Goods and Services Contracting (Manage Software Acquisitions) process and the ICT Contract Management process. In addition, the respondents are aware of additional artifacts from different processes, for example, the artifacts of the Internal Standard for Creation and Regulation of the ICT Security Committee process. It is important to note that both scenarios (artifacts and processes identified or not) occurred regardless of the maturity level at which the processes or artifacts are found.
Finally, the survey allowed us to identify six new ICT processes to be used to verify the maturity of the ICT Governance processes. These processes and their respective artifacts will be added to our ICT Governance Kit [7]. The implementation of the new processes will allow better monitoring of CADE’s ICT resources. In addition, the standardization and implementation of ICT processes will contribute to CADE’s digital transformation. Thus, the main contribution of this work was to identify in the literature the existing works in relation to the ICT processes and to propose improvements in the processes of an APF agency, in order to improve the use of its ICT resources.
As future work, we intend to apply ICT processes in other agencies of the Federal Public Administration and in the industry. We also aim to use similar questionnaires in order to assess the perception of ICT processes maturity and, eventually, to identify new ICT processes of interest. The practical application of ICT processes in several agencies will allow us to make improvements in the proposed processes and artifacts, analyzing which processes can be excluded or changed.

Author Contributions

All authors contributed to performing the reported use case, Writing the Original Draft and Writing Review and Editing. All authors have read and agreed to the published version of the manuscript.

Funding

Publication fees were honored by the cooperation project between the Administrative Council for Economic Defense and the University of Brasilia (grant CADE 08700.000047/2019-14).

Acknowledgments

The authors would like to thank the support of the Brazilian research, development and innovation agencies CAPES (grants 23038.007604/2014-69 FORTE and 88887.144009/2017-00 PROBRAL), CNPq (grants 312180/2019-5 PQ-2, BRICS2017-591 LargEWiN, and 465741/2014-2 INCT in Cybersecurity) and FAP-DF (grants 0193.001366/2016 UIoT and 0193.001365/2016 SSDDC), as well as the cooperation projects with the Ministry of the Economy (grants DIPLA 005/2016 and ENAP 083/2016), the Institutional Security Office of the Presidency of the Republic (grant ABIN 002/2017), the Administrative Council for Economic Defense (grant CADE 08700.000047/2019-14), and the General Attorney of the Union (grant AGU 697.935/2019).

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Asongu, S.A.; Nwachukwu, J.C. The role of openness in the effect of ICT on governance. IT Dev. 2019, 25, 503–531. [Google Scholar] [CrossRef]
  2. Clara, A.M.C.; Canedo, E.D.; de Sousa Júnior, R.T. A synthesis of common guidelines for regulatory compliance verification in the context of ICT governance audits. Inf. Polity 2018, 23, 221–237. [Google Scholar] [CrossRef]
  3. da Silva, C.J.N.; Ribeiro, Q.A.D.S.; Soares, M.S.; do Nascimento, R.P.C. ICT Governance: A View of Adoption of Best Practices in Enterprises of Sergipe State. In Proceedings of the XV Brazilian Symposium on Information Systems; ACM: New York, NY, USA; Sergipe, Brazil, 2019; pp. 58:1–58:8. [Google Scholar]
  4. Easterbrook, S.; Singer, J.; Storey, M.A.; Damian, D. Selecting empirical methods for software engineering research. In Guide to Advanced Empirical Software Engineering; Springer: Berlin/Heiderberg, Germany; London, UK, 2008; pp. 285–311. [Google Scholar]
  5. Instituto Brasileiro de Governança Corporativa. Código das Melhores Práticas de Governança Corporativa; IBGC: São Paulo, Brazil, 2009. [Google Scholar]
  6. Fiorini, F.A.; Junior, N.A.; Alonso, V.L.C. Governança Corporativa: Conceitos e Aplicações. In Proceedings of the XIII Simpósio de Excelência em Gestão e Tecnologia (SEGet), Rezende, Brazil, 30–31 November 2016. [Google Scholar]
  7. Canedo, E.D.; da Costa, R.P.; de Sousa Junior, R.T.; Nze, G.D.A. Best Practices Kits for the ICT Governance Process within the Secretariat of State-Owned Companies of Brazil and Regarding these Public Companies. Information 2018, 9, 141. [Google Scholar] [CrossRef]
  8. Tuzzolo, O. Governança e Estratégia de Tecnologia da informação; Senac: São Paulo, Brazil, 2019; p. 182. [Google Scholar]
  9. De Haes, S.; Grembergen, W.V. Enterprise Governance of Information Technology Achieving Alignment and Value, Featuring COBIT 5; Springer: Berlin/Heiderberg, Germany, 2015; p. 178. [Google Scholar]
  10. Weill, P.; Ross, J. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results; Harvard Business School Press: Brighton, MA, USA, 2004; pp. 8–10. [Google Scholar]
  11. Feltus, C. Introducing ISO/IEC 38500: Corporate Governance in ICT; ITSMF Jaarcongres 2008: Luxembourg, Germany, 2012; pp. 27–28. [Google Scholar]
  12. Audit, I.S.; Association, C. COBIT 5: Enabling Processes; ISACA: Schaumburg, IL, USA, 2012. [Google Scholar]
  13. Datta, P. Digital Transformation of the Italian Public Administration: A Case Study. CAIS 2020, 46, 11. [Google Scholar] [CrossRef]
  14. Fanea-Ivanovici, M.; Pana, M. From Culture to Smart Culture. How Digital Transformations Enhance Citizens’ Well-Being Through Better Cultural Accessibility and Inclusion. IEEE Access 2020, 8, 37988–38000. [Google Scholar] [CrossRef]
  15. Filgueiras, F.; Flávio, C.; Palotti, P. Digital Transformation and Public Service Delivery in Brazil. Lat. Am. Policy 2019, 10, 195–219. [Google Scholar] [CrossRef]
  16. Luciano, E.M.; Wiedenhöft, G.C.; dos Santos, F.P. Promoting social participation through digital governance: Identifying barriers in the brazilian public administration. In Proceedings of the 19th Annual International Conference on Digital Government Research: Governance in the Data Age, Delft, The Netherlands, 30 May–1 June 2018; pp. 49:1–49:9. [Google Scholar]
  17. Decreto N° 8.638/2016. Available online: http://www.planalto.gov.br/CCIVIL_03/_Ato2015-2018/2016/Decreto/D8638.htm (accessed on 11 August 2020).
  18. Cunha, C.R.L.; A Transformação Digital do Governo Federal Brasileiro: Analisando as Recomendações dos Organismos Internacionais. UFMG 2019 Volume 1, pp. 1–34. Available online: http://hdl.handle.net/1843/33473 (accessed on 11 August 2020).
  19. Calder, A. ISO/IEC 38500: The IT Governance Standard; IT Governance Ltd.: Ely, UK, 2008. [Google Scholar]
  20. Balocco, R.; Ciappini, A.; Rangone, A. ICT Governance: A reference framework. Inf. Syst. Manag. 2013, 30, 150–167. [Google Scholar] [CrossRef]
  21. GET. IT Governance Evaluation Techniques for Information Technology; Working Group of Information Technology (WGITA); Internacional Organization of Supreme Audit Institutions (INTOSAI): Brasília, Brazil, 2016; Volume 1. [Google Scholar]
  22. Secretaria-Geral da Presidência da República. Implantação da Governança de Tecnologia da Informação e Comunicação nos órgãos e entidades pertencentes ao Sistema de Administração dos Recursos de Tecnologia da Informação do Poder Executivo Federal—SISP. Available online: https://www.in.gov.br/en/web/dou/-/portaria-n-18.152-de-4-de-agosto-de-2020-270473014 (accessed on 7 August 2020).
  23. y Rodríguez, M.V.R.; Vieira, D.M. Governança de TI no Setor Público–Caso DATAPREV. Revista Produção Online 2007, 7, 1–19. [Google Scholar]
  24. Silva, M.B.D.D.; Ramos, D.S.; dos Santos, D.X.; Soares, M.S.; Nunes, I.D.; do Nascimento, R.P.C. A Practical Approach to Teaching-Learning for Undergraduate Students: Governance of ICT directed to the Federal Public Administration (FPA). In Proceedings of the Euro American Conference on Telematics and Information Systems (EATIS 2018), Fortaleza, Brazil, 12–15 November 2018; ACM: New York, NY, USA, 2018; pp. 34:1–34:7. [Google Scholar] [CrossRef]
  25. Clara, A.M.C.; Canedo, E.D.; de Sousa Júnior, R.T. Elements that Orient the Regulatory Compliance Verification Audits on ICT Governance. In Proceedings of the 18th Annual International Conference on Digital Government Research (DG.O 2017), Staten Island, NY, USA, 7–9 June 2017; Hinnant, C.C., Ojo, A., Eds.; ACM: New York, NY, USA, 2017; pp. 177–184. [Google Scholar] [CrossRef]
  26. Brown, T.L.; Potoski, M.; Van Slyke, D.M. Managing public service contracts: Aligning values, institutions, and markets. Public Adm. Rev. 2006, 66, 323–331. [Google Scholar] [CrossRef]
  27. Lacity, M.C.; Khan, S.; Yan, A.; Willcocks, L.P. A review of the IT outsourcing empirical literature and future research directions. J. Inf. Technol. 2010, 25, 395–433. [Google Scholar] [CrossRef]
  28. Karimi-Alaghehband, F.; Rivard, S. IT outsourcing success: A dynamic capability-based model. J. Strateg. Inf. Syst. 2020, 29, 101599. [Google Scholar] [CrossRef]
  29. de Mendonça, C.M.C.; Guerra, L.C.B.; de Souza Neto, M.V.; de Araújo, A.G. Governança de tecnologia da informação: Um estudo do processo decisório em organizações públicas e privadas. Revista de Administração Pública-RAP 2013, 47, 443–468. [Google Scholar] [CrossRef]
  30. Klumb, R.; Azevedo, B.M.d. A percepção dos gestores operacionais sobre os impactos gerados nos processos de trabalho após a implementação das melhores práticas de governança de TI no TRE/SC. Revista de Administração Pública 2014, 48, 961–982. [Google Scholar] [CrossRef]
  31. Fontana, K.H.S.; Thiel, G.R.; Vanti, A.A.; Solana-González, P. Direitos decisórios e de contribuição nas estratégias de TI: Estudo em uma empresa de grande porte no Estado do RS. UOSC 2019, 18, 543–564. [Google Scholar] [CrossRef]
  32. Canedo, E.D.; da Costa, R.P.; Amaral, L.H.V.; Coutinho, M.; Nze, G.D.A.; de Sousa Junior, R.T. Proposal of an Implementation Methodology of ICT Processes. Information 2019, 10, 327. [Google Scholar] [CrossRef]
  33. Júnior, I.G.; Chaves, M.S. Novos riscos para a gestão de projetos de tecnologia da informação com equipes locais. Iberoam. J. Proj. Manag. 2014, 5, 16–38. [Google Scholar]
  34. Nakashima, D.T.V.; Carvalho, M.D. Identificação de riscos em projetos de TI. Encontro Nacional de Engenharia de Produção 2004, 24, 1–12. [Google Scholar]
  35. Wallace, L.; Keil, M.; Rai, A. How software project risk affects project performance: An investigation of the dimensions of risk and an exploratory model. Decis. Sci. 2004, 35, 289–321. [Google Scholar] [CrossRef]
  36. Souza, J.G.S.; De Almeida, R.F.; Kussama, L.; Arima, C.H.; Galegale, N.V. Gestão de riscos de segurança da informação e sua apresentação na governança de TI da administração pública. In Proceedings of the X Workshop de Pós-graduação e Pesquisa do Centro Paulo Souza, São Paulo, Brazil, 6–8 October 2015. [Google Scholar]
  37. Saeidi, P.; Saeidi, S.P.; Sofian, S.; Saeidi, S.P.; Nilashi, M.; Mardani, A. The impact of enterprise risk management on competitive advantage by moderating role of information technology. Comput. Stand. Interfaces 2019, 63, 67–82. [Google Scholar] [CrossRef]
  38. de Oliveira, W.F.M.; Leone, R.J.G.; de Souza, L.A. As variáveis para uma gestão de contratos eficiente: O caso de uma empresa pública federal. Administração Pública e Gestão Social 2020, 12, 1–21. [Google Scholar] [CrossRef]
  39. Faria, E.R.d.; Ferreira, M.A.M.; Santos, L.M.d.; Silveira, S.d.F.R. Fatores determinantes na variação dos preços dos produtos contratados por pregão eletrônico. Revista de Administração Pública 2010, 44, 1405–1428. [Google Scholar] [CrossRef]
  40. Franco, J.M.; Colpo, K.D.; Sudati, L.U.; Lacerda, R.A.B. Análise das práticas Organizacionais Para um Sistema de gerenciamento ambiental (sga) estudo de caso na ect–agência de santiago-rs. Revista de Contabilidade do Mestrado em Ciências Contábeis da UERJ 2010, 15, 63–74. [Google Scholar]
  41. Medeiros, F.S.B.; dos Santos, S.X.; Denardim, É.S.; Abbade, E.B. A qualidade dos produtos e serviços em licitações do tipo menor preço: Um estudo em uma câmara de vereadores do Rio Grande do Sul. REGE-Revista de Gestão 2014, 21, 491–508. [Google Scholar] [CrossRef][Green Version]
  42. Gudergan, G.; Mugge, P.; Kwiatkowski, A.; Abbu, H.; Michaelis, T.L.; Krechting, D. Patterns of Digitization–What differentiates digitally mature organizations? In Proceedings of the 2019 IEEE International Conference on Engineering, Technology and Innovation (ICE/ITMC), Valbonne Sophia, Antipolis, France, 17–19 June 2019; pp. 1–8. [Google Scholar]
  43. Hund, A.; Wagner, H.; Gewald, H. The Impact of Digitization on Contemporary Innovation Management; 25th AMERICAS CONFERENCE ON INFORMATION SYSTEMS (AMCIS); Association for Information Systems: Cancún, Mexico, 2019. [Google Scholar]
  44. Harris, J. The digitization of advice and welfare benefits services: Re-imagining the homeless user. Hous. Stud. 2020, 35, 143–162. [Google Scholar] [CrossRef]
  45. Silva, M.B.D.D.; Silva, E.C.; Filho, F.A.D.C.; Garcia, T.M.; Nunes, I.D.; do Nascimento, R.P.C. Public ICT Governance: A Quasi-systematic Review; 19th International Conference on Enterprise Information Systems (ICEIS) (2); SciTePress: Porto, Portugal, 2017; pp. 351–359. [Google Scholar]
  46. Governo Brasileiro gov.br, Legislação Contratações de TIC. Available online: https://www.gov.br/governodigital/pt-br/contratacoes/fluxo-da-instrucao-normativa-sgd-me-no-1-de-4-de-abril-de-2019 (accessed on 1 May 2020).
  47. Ministerio do Planejamento, G.e.D.; Kits de Governanca de TIC. MP 2018. Available online: http://www.planejamento.gov.br/assuntos/empresas-estatais/publicacoes/kits-governanca-ti (accessed on 1 June 2020).
  48. Kitchenham, B.; Pfleeger, S.L. Principles of survey research: Part 5: Populations and samples. ACM SIGSOFT Softw. Eng. Notes 2002, 27, 17–20. [Google Scholar] [CrossRef]
  49. de Freitas, S.A.A.; Canedo, E.D.; Felisdório, R.C.S.; Leão, H.A.T. Analysis of the Risk Management Process on the Development of the Public Sector Information Technology Master Plan. Information 2018, 9, 248. [Google Scholar] [CrossRef]
  50. Adam, I.O.; Alhassan, M.D.; Simpson, S.N.Y. The Effect of ICT Adoption on Corporate Governance: The Mediating Role of Human Resource Quality; 26th AMERICAS CONFERENCE ON INFORMATION SYSTEMS (AMCIS); Association for Information Systems: Atlanta, Georgia, 2020. [Google Scholar]
  51. Pereira, G.V.; Charalabidis, Y.; Alexopoulos, C.; Mureddu, F.; Parycek, P.; Ronzhyn, A.; Sarantis, D.; Flak, L.S.; Wimmer, M.A. Scientific foundations training and entrepreneurship activities in the domain of ICT-enabled governance. In Proceedings of the 19th Annual International Conference on Digital Government Research: Governance in the Data Age, Delft, The Netherlands, 30 May–1 June 2018; ACM: New York, NY, USA, 2018; pp. 98:1–98:2. [Google Scholar]
  52. Wautelet, Y. A model-driven IT governance process based on the strategic impact evaluation of services. J. Syst. Softw. 2019, 149, 462–475. [Google Scholar] [CrossRef]
  53. Lopez-Arredondo, L.P.; Perez, C.B.; Villavicencio-Navarro, J.; Mercado, K.E.; Encinas, M.; Inzunza-Mejia, P. Reengineering of the software development process in a technology services company. Bus. Process. Manag. J. 2020, 26, 655–674. [Google Scholar] [CrossRef]
  54. Rahmaoui, O.; Souali, K.; Ouzzif, M. Improving Software Development Process using Data Traceability Management. Int. J. Recent Contrib. Eng. Sci. IT 2019, 7, 52–58. [Google Scholar] [CrossRef]
  55. Kim, S.B.; Kim, D. ICT Implementation and Its Effect on Public Organizations: The Case of Digital Customs and Risk Management in Korea. Sustainability 2020, 12, 3421. [Google Scholar] [CrossRef]
  56. Fritsch, A. Towards a Modeling Method for Business Process Oriented Organizational Life Cycle Assessment. In Proceedings of the 7th International Conference on ICT for Sustainability, Bristol, UK, 21–27 June 2020; ACM: New York, NY, USA, 2020; pp. 200–203. [Google Scholar]
  57. Luz, W.P.; Pinto, G.; Bonifácio, R. Adopting DevOps in the real world: A theory, a model, and a case study. J. Syst. Softw. 2019, 157. [Google Scholar] [CrossRef]
  58. Fursin, G.; Guillou, H.; Essayan, N. CodeReef: An open platform for portable MLOps, reusable automation actions and reproducible benchmarking. arXiv 2020, arXiv:2001.07935. [Google Scholar]
  59. Abraham, R.; Schneider, J.; vom Brocke, J. Data governance: A conceptual framework, structured review, and research agenda. Int. J. Inf. Manag. 2019, 49, 424–438. [Google Scholar] [CrossRef]
  60. General Data Protection Regulation (GDPR). Intersoft Consulting 2018, 1. Available online: https://gdpr-info.eu/ (accessed on 22 May 2020).
  61. Macedo, P.N. Brazilian General Data Protection Law (LGPD). National Congress 2018, 1, 1–20. Available online: https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-Protection-Law.pdf (accessed on 18 April 2020).
  62. Erickson, A. Comparative Analysis of the EU’s GDPR and Brazil’s LGPD: Enforcement Challenges with the LGPD. Brook. J. Int’l L 2018, 44, 859. [Google Scholar]
  63. Piper, D. Data protection laws of the world: Full handbook. DLA Piper 2017, 1, 1–50. [Google Scholar]

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Information Sharing Strategies in the Social Media Era: The Perspective of Financial Performance and CSR in the Food Industry
Previous
Successive Collaborative SLAM: Towards Reliable Inertial Pedestrian Navigation
Next