ICT Governance and Management Macroprocesses of a Brazilian Federal Government Agency

Abstract

The process of identifying and managing Information and Communication Technology (ICT) risks has become a concern and a challenge for public and private organizations. In this context, risk management methodologies within the Brazilian Federal Public Administration organizations have become indispensable to help the managers of these organizations in decision making, especially in the distribution of public funds, elaboration of public policies focused on transparency, social actions contemplating indemnities, and social benefits, among others. In addition, the various ICT projects controlled by the public administration need a methodology to perform their management of ICT resources. In this article, we present the Governance and Risk Management methodology used to model the Administrative Council for Economic Defense (CADE) macro processes. The proposed methodology used the risk management process aligned to the ISO 31000 standards. This alignment was necessary for mapping CADE’s risk events, regardless of their complexity. The modeled ICT risk processes will support the organization’s managers in decision making and may be used or customized by any other organization of the Brazilian Federal Public Administration.

1. Introduction

Risk management is a fundamental activity for a public or private organization to be managed at all levels. It is an essential part of Information and Communication Technology (ICT) Governance [1,2]. In addition, it contributes to the maturity of organizational management systems. Due to this relationship with all organization levels, risk management is associated with all organizational activities, and interaction with stakeholders is fundamental.

For the risk management process execution, it is essential to understand its iterative nature. This characteristic is relevant to the maturity of the process since its purpose is continuous improvement and monitoring, among the contributions of the risk management process. In addition, it is important to mention that performing risk management correctly allows organizations to consistently establish their strategy, paving the way for achieving organizational objectives and assisting stakeholders in making decisions. The scope of the risk management process is to carry out coordinated activities to direct and control the organization in risk-related matters [1].

Soares Netto et al. [3] stated that the concern with risks is a key aspect, as it ensures that organizational strategic objectives are less exposed to risks due to ICT failures. Because of this, the risks related to ICT problems are being considered increasingly relevant and present in managers’ agendas, since the impact that this type of risk can bring to the business has serious consequences since organizations are increasingly having their end activities dependent on the ICT area.

The lack of a methodology to perform risk management can be disastrous for public organizations and cause some consequences that can affect the citizens’ lives directly or indirectly, decreasing the credibility of the services offered to the population [4]. Chagas [5] analyzed the risks related to the economic area of a public administration organization and identified the importance of a methodology to manage risks due to the economic instabilities and the uncertainties inherent to the context of these organizations. In addition, efficient risk management in public organizations helps in the fight against corruption [6].

The General Law of Data Protection (LGPD) [7,8,9] and its respective punishments in case of non-compliance, keeping people’s data secure has become a current concern and, consequently, has become a point to consider when designing a risk management model, since there is the possibility that such information can be leaked or used illegally by third parties.

In public organizations, some methodologies address risk management with the primary purpose of mitigating possible fraud. For example, Miranda [10] highlighted the Manual of Integrity Management, Risks and Internal Controls of the Ministry of Planning, Development, and Management (MP), a methodology consisting of five steps aimed at meeting the demands of the MP. Another highlight is the Risk Management Manual of the Federal Audit Court (TCU) [11], whose objective is not only limited to managing risks but expands to possible opportunities.

This work is an expansion of the paper published in the ICEIS 2021 conference (23th International Conference on Enterprise Information Systems) [9]. It presents the evolution of the modeling of the processes of Risk Management and Governance of Information and Communication Technology (ICT) based on the ISO 31000 [1]. The modeled processes can be customized and used by other Public Administration organizations and can support ICT managers in decision making, especially in the identification, analysis, evaluation, and mitigation of ICT risks.

The main goal of this paper is to apply the models proposed in the ISO 31.000 [1] in risk management in a Brazilian federal public administration agency by mapping the organization’s risk processes. Thus, we define the following hypothesis: Is it possible to apply of the ISO 31000 guidelines in the risk management solutions in public organizations? In order to map the processes, we conducted a literature review to identify existing studies in this context and held several meetings with the agency’s stakeholders to validate the identified risks and perform their classification, frequency, and impact. By identifying the risks, the organization will be able to define action plans to respond to the possible events, avoiding, mitigating, accepting, or even sharing the risks with the stakeholders. The survey of risk events will provide the organization with a more profound knowledge of the scenario in which it operates, whose record will be an input for decision making regarding the organization’s vulnerabilities and strengths, as well as the threats and opportunities that are part of the context of the federal public administration.

2. Background and Related Works

Public administration organizations carry out various types of activities, which are related to the provision of health services, social security, infrastructure development, research financing, regulation, taxes, among others [12]. The activities provided by these organizations involve a certain degree of risk, which may involve, but are not limited to, fraud, deficiency in service provision, waste, inefficiency, and loss of opportunity [12].

Risk management under the Federal Executive Branch in Brazil is governed by Complementary Normative Instruction (CNI) Nº 1, of 10 May 2016 [13]. The regulation provides that the bodies and entities of the Federal Executive Branch must adopt measures to systematize practices related to risk management, internal controls, and governance. The measures related to risk management that are determined in the CNI are related to implementing, maintaining, monitoring, and reviewing the risk management process, checking compatibility with the organization’s mission and strategic objectives, following the guidelines of the normative [13].

Brazilian government decision-making is subject to strong, and growing expectations of transparency and public accountability [14]. This need for transparency involves complex issues related to how the federal public administration’s risk management can be conducted in order to avoid possible threats to the organization [15]. It is also important to highlight a particularity of risks in the private sector, which differs from the public sector, regarding the confidentiality of decisions concerning risks. In the public sector, there is a requirement for accountability, which makes decisions public and transparent. In the private sector, these decisions are usually confidential, taking into account strategic business issues [15].

In private sectors, Sedinić and Perušić [16] mentioned the perspective of companies dealing with complex applications (such as banking, mining, or airport sectors). For the authors, early identification, analysis (including correlation and aggregation if necessary), assessment, and monitoring of risks allow them to develop an action plan whose decisions are made in such a way that these risks do not affect their business. It is also important to mention that there is a growing concern with financial statements in this kind of application, especially when sent to external audits.

Another interpretation of risk management in private organizations involves Industry 4.0, focused on the automation of its processes due to the Internet of Things (IoT). Brocal et al. [17] highlighted the practicality of risk management systems, classifying four hierarchical types of risks, these being: (a) risk governance, which involves the decision making of these risks respecting their processes and their organizations; (b) risk management, related to the use of methodologies and frameworks to provide the development team with a detailed analysis of their risks and their consequences; (c) risks related to occupational health and safety, concerning the people who develop means to manage the risks and their working conditions, and; (d) emerging risk management, which refers to the risks embedded in new technologies.

Risk management can be carried out at different administrative levels, being totally independent of the type in which the organization is inserted—be it public or private. In this context, several works were published in relation to risk management with a focus on different solutions. El-kiki et al. [18] presented the mGovernment framework to control and manage risks in government services, so that the framework could help in forecasting the benefits, in addition to calculating the risks resulting from any changes that are necessary for the context of administration governmental. After the proposal of the framework by the authors, other research was carried out with the objective of better understanding the mGovernment through the perspective of its users, so that the effectiveness of the framework could be measured [19] and also, its day-to-day use of the organization to minimize the impacts caused by the challenges of risk management [20].

Silva et al. [21] conducted with several Brazilian government agencies, the application of the Adaptation of Failure Mode and Effect Analysis (FMEA) to the Information Technology Solution Contracting Planning process as a tool to carry out risk management. The results made it possible for the agencies to review the procedures of the ICT contracting process so that improvements could be implemented. In addition, it allowed the agencies to customize the FMEA to suit the reality of each organization. Some works were published with the purpose of analyzing and understanding how risk management is carried out in different countries. Oulasvirta and Anttiroiko [22] analyzed the risk management carried out by the government of Finland. The results showed that even though the era of ICT is in evidence, the adoption of risk management in the country is still slow in municipal administrations (whether in large or small cities). Nadikattu [23] investigated the critical areas of ICT Governance in the United States private sector, pointing out the management components and the role of each component to mitigate the risk associated with it.

Junior [24] analyzed the challenges of implementing risk management in a Brazilian state government in terms of the impact of this type of management. For this, the author conducted a round of 13 interviews and observed the behavior of each participant. The results showed that, although risk management serves to legitimize the expansion of the organization’s internal control, the participants’ understanding was limited by at least three issues: (i) barriers in the auditors’ professional identity; (ii) the low relevance of internal controls; and (iii) the difficulty of disclosure of strategic risks. Finally, Elamir [25] sought to better understand the needs, benefits and approaches to risk management focused on the health area, making a comparison between traditional and business risk management approaches. In addition, the author presented a methodology called bow tie to assess the risk prospects proposed by the American Society for Health Risk Management.

Following the trend of Distributed Software Development (DDS) [26], and its advantages for organizations, Filippetto et al. [27] aimed to improve the quality of projects developed by organizations through Átropos. This model aims to manage the risks that may occur during the software life cycle. The authors conducted a case study in a software development company. The model consists of inputs (which initiates the application based on some database), risk identification (where the identification of activities, their ramifications, and impact assessment of such risks occurs). The management problem is the risk signaling by bots that monitor the project and the context model (capable of storing the history of events with their risks so that such information can be consulted for future projects). In their ramifications, the authors use the Risk Analytical Framework (RAF) for correct risk identification.

Kim [28] studied the effects of Effective Risk Management (RM) and its relationship with managers in South Korea’s food industry based on three aspects: (a) individual characteristics, (b) meta-structure variables, and (c) organizational variables. RM consists of systematic development platforms that identify and report each diagnosed risk to the development team. Other concepts used by the author is the Theory of Planned Behavior (TPB), focused on the rational study of managers concerning proactivity and their ability to prevent risks and react when necessary, and; the Institutional Theory, which investigates the decision making made by managers and its impact on the company.

A significant concern for highly complex companies, Sedinic and Perusic [16] studied the usage of Information Security Risk Management methodologies. It works in harmony with each company’s overall risk management, using as an example three methodologies based on ISO 27001 [29] that have been adopted by a telecommunication company operating in Croatia and other European countries. The methodologies are: (a) Information Security Management System (ISMS), a process that consists of five steps and provides the identification and management of risk, classifying it into four categories (very low, low, medium, and high); (b) Basic Security Assessment (BSA), which comprises a list containing 20 risks (including location, file integrity, data production, and manipulation, among others), and is used only at system initiation and; (c) IT Security Risk Management, a process that consists of five steps and that is adopted to assess some specific security risks of the Information Technology area, establishing as threats the factors related to confidentiality and data integrity, as well as the availability of this information (that can be leaked or sent by mistake), is categorized as low, medium or high risk, depending on its probability and impact on the operation.

Júnior and Filho [30] detailed the Risk Management Implementation Project, introduced by the Government of the Federal District (GDF) in 2019. In cooperation with the Office of the Comptroller General of the Federal District (CGDF), whose project started in 2015—with the main purpose of improving public management and its risks through good communication with the agencies, providing the identification and classification of risks according to their complexities and allowing managers to make a decision consistent with their reality. A risk management system focused on the public sector is essential for fraud prevention, correct allocation of funds, and reduction of superfluous expenses.

Gallis and Alves [31] investigated the risks pertinent to the financial area. The authors based themselves on the Banking Supervisory Council of Basel—created by the G-10 in 1974, on the concept of Operational Risk (encompassing issues such as human failure, system, process, and external factors) and Banking Risk (which involves risks pertinent to interest rates, credit, and stock market shares). In this area, identifying risk from its history and the issuing of probabilities is essential for the investor to be aware of the financial asset available and its variables, which external changes or market trends can influence.

Miranda [10] proposed a methodology for risk management in the Ministry of Planning, Development, and Management (MP), based on cycles and with the following steps: (a) Survey of the Environment; (b) Identification, investigating the history of risks and their consequences; (c) Assessment of these risks, establishing their degrees of complexity and corresponding probabilities; (d) Risk Response, involving planning to address this risk, and; (e) Information, Communication, and Monitoring, responsible for reporting the risk management situation and conducting evaluations.

Tshabalala and Khoza [32] studied the concept of Effective Conflict Risk Management (ECM) aimed at the agile development market, which consists of managing a project’s risks continuously and flexibly to changes, in order to provide fast release delivery. The authors conducted a qualitative survey with 179 people working in the ICT field to verify its effectiveness.

The Secretariat of Planning, Governance, and Management (SEPLAN) [11] of the Federal Court of Accounts (TCU) presented the details about the Risk Management Program to improve risk management, especially in court decisions. The TCU’s Risk Management Manual consists of a document containing the information related to risks to be understood concisely and transparently. The proposed process consists of eight steps: (a) Establishing the Context; (b) Risk Identification; (c) Risk Analysis; (d) Risk Assessment; (e) Risk Treatment; (f) Communication and Consultation with Stakeholders; (g) Monitoring, and; (h) Continuous Improvement.

Ávila [33] studied the importance of risk management methodologies for municipal governments in Brazil regarding fraud prevention and transparency, based on the protocols adopted in the government of Canada. Based on the generic risk management process proposed by Hill and Dinsdale [34]—that is, risk identification, impact assessment, decision making, and monitoring—the author emphasized issues to be discussed in municipal governments about the strengths and weaknesses of management, going through the knowledge analysis of their employees, establishing objectives and managing these risks.

Junior [24] conducted an analysis based on accountability in-state public institutions in order to investigate the pertinent risks, their management by managers, and the impacts they may cause on society. The authors considered a survey conducted by internal state auditors, and this study aimed to implement a risk management system to provide greater internal control of public administration through thirteen interviews. The results found problems related to lack of interest in risk management (such as high demand from state agencies and change of teams) and lack of leadership. These problems can hinder public transparency.

Okonofua and Rahman [35] studied the factors that contribute to proper risk management and proposed the creation of the Risk Management Plan (RMP), a technique to engage people, process, and technology in a process so that organizations follow a detailed document that contains all phases of a project—i.e., elicitation, analysis, development, testing, and remediation—and provide a controlled and monitored RMP. RMP consists of three steps: (a) Management Support; (b) Risk Management Development; (c) Success Criteria; and (d) Ongoing Monitoring and Analysis.

Brocal et al. [17] studied the impacts and risks that the Internet of Things brings about in Industry 4.0 in its relationships between man, machine, and robot. In their research, the authors proposed methodologies based on Complex Systems Governance (CSG) that builds on the three characteristics of IoT—RFID identification, sensing, and actuation—along with risk management systems in organizations and human performance analytics (such as strength and logical reasoning).

Aiming at better risk management in the hiring of services focused on ICT in public organizations, Silva et al. [21] proposed an adaptation to the Failure Mode and Effect Analysis (FMEA) within the Information Technology Solution Hiring Planning (PCSTI). Based on laws and ordinances enacted in the state and federal spheres, the authors’ proposed adjustment to FMEA consists of five steps: planning, general risk study, analysis to define its complexity, interpretation of data and results, and monitoring, which were approved by five public entities through interviews and brainstorming, established in the methodology’s process.

Okonofua et al. [36] investigated the existing gaps in the literature on risks involved in the Information Security (IS) area for leadership decisions and their influence on risk management in this segment. For the authors, the use of the Full Range Leadership Theory (FRLT) proposed by Bass and Avolio [37], provides through the Multifactor Leadership Questionnaire (MLQ) nine properties for three types of leadership: transactional, transformational, and passive-preventive, which are effective for risk management.

3. Methodology

The objective of this work is to present the stages of the risk management process of the ICT processes of the General Coordination of Information and Communication Technology (CGTI) of the Administrative Council for Economic Defense (CADE). The organization has its methodology for risk management, prepared according to ISO IEC 31000 [1] and the set of rules and regulations published by the Federal Public Administration (APF), among them: (1) Joint Normative Instruction number 01/2016 [13] which provides for internal controls, risk management, and governance within the Federal Executive Branch; (2) decree number 9023 of 22 November 2017 [38] which provides on the governance policy of the federal public administration; (3) CADE ordinance number 283, of 11 May 2018 [39] which approves the Governance Policy, Integrity Management, Risks, and Management Controls within the scope of the Administrative Council for Economic Defense.

According to the 31010 [40] standard, the assessment process is the part of risk management that provides a structured process to identify how the objectives may be affected; also, according to the standard, the process tries to answer the following fundamental questions: (1) what may happen and why?; (2) what are the consequences?; (3) what is the probability of its future occurrence?; (4) are there factors that mitigate the consequence or reduce the risk probability?; and (5) is the risk level tolerable or acceptable, and does it require additional treatment? To gather the necessary information for the mapping of risk events in CGTI’s processes, we adopted the risk management process based on the 31000 [1] standard. The components of the standard are presented in Figure 1.

Figure 1. Elements of the Risk Management Process [1].

According to ABNT NBR ISO/IEC 31000 [1], risk identification has the purpose of finding, recognizing, and describing risks that may help or hinder an organization from achieving its objectives. Risk identification involves identifying risk events, their causes, and consequences. In this phase of the work, we consider the typologies defined in CADE’s methodology, which we can classify as 1. Operational risks: Events that can compromise the body or entity’s activities, usually associated with failures, deficiency, or inadequacy of internal processes, people, infrastructure, and systems; 2. Body image/reputation risks: Events that can compromise society’s trust (or that of partners, clients, or suppliers) about the body or entity’s capacity to fulfill its institutional mission; 3. Legal risks: Events derived from legislative or regulatory changes that may compromise the activities of the organ or entity; 4. Financial/budgetary risks: Events that may compromise the capacity of the organ or entity to count on the budgetary and financial resources necessary to carry out its activities, or, still, events that may compromise the budget execution itself, such as delays in the bidding schedule; 5. Integrity risks: Risks that configure actions or omissions that may favor the occurrence of frauds or acts of corruption.

In the risk assessment phase, which aims to support decisions, risks are assessed based on the probability that they will occur and on the impact they may have on the organization’s objectives. Probability should be measured by analyzing the causes of the risk event, observing aspects such as observed or expected frequency. Categorized by weights and in descending order, the parameters for the definition according to the probability analysis are 5. Very high probability: with an occurrence above 90%, and expected, repetitive and constant event; 4. High probability: with an occurrence between 50% and 90%, an event can occur in a usual way; 3. Medium probability: contemplating occurrences between 30 percent and 50 percent establishes a prediction of when an event can occur but is expected; 2. Low probability: with a possibility of incidence between 10 percent and 30 percent, refers to an event with characteristics similar to the previous one, with the difference that in this weight, the event is unexpected; 1. Very low probability: representing possibilities below 10 percent refers to an extraordinary event.

The impacts are the effects of the occurrence of a risk event and are measured from the analysis of the effects. These events can be described in five categories in descending order, according to their weight: 5. Catastrophic: classified as weight 5, this risk event impacts the objectives irreversibly; 4. Robust: with weight 4, it impacts the objectives whose reversal becomes difficult; 3. Moderate: the risk event negatively impacts the objective but can be recoverable; 2. Weak: the effects influence the established objectives in a negligible manner, and; 1. Insignificant: the impact on the objectives is minimal.

Considering the risk level is the product of probability X impact. Thus, the risk level is expressed by combining the probability of occurrence of a risk event and its impacts on the organization’s objectives. Following this relation and considering the established weights, the methodology adopted by CADE classifies the impacts according to their complexity, defining in a low to extreme risk level, in which the incidence of an event with a pre-established probability of occurrence may have insignificant or disastrous consequences. Once the level of risk is known, it is necessary to establish strategies to treat the risks. Risk treatment involves the identification of options to treat these risks, evaluating these options, and selecting the most appropriate alternatives to modify the risk level (Risk Response). CADE, in the adoption of its methodology, establishes the following risk responses: 1. Low risk: it is understood that the risk level is within tolerance, being considered the acceptance of this occurrence; 2. Medium risk: A response divided between acceptance and reduction indicates that the risk level is close to but not within the established tolerance; 3. High risk: defined with the response of reducing, transfer, and avoid, it is an indication that the risk level is outside the established tolerance and needs to be reduced to acceptable levels; 4. Extreme risk: following the three risk responses proposed in the previous item, the actions in this category aim at reducing the impact immediately, even if it is difficult to reduce it to an acceptable level.

Organization Context

The CGTI is one of the portfolios that make up the Directorate of Administration and Planning (DAP) of CADE. Through the Information Technology Master Plan (PDTI), established between the years 2017 and 2020, the CGTI defined in its Strategic ICT Objectives its mission, vision, and values, which are: (1) Improve the management of users and employees; (2) Implement information systems; (3) Provide its employees with a robust infrastructure; (4) Ensure Information and Communication Security; (5) Foster management and governance, and; (6) Improve the provision of services to society.

Aggregated in the ICT Management and Governance Macroprocess, are the CGTI level I processes, defined based on CADE’s value chain, as shown in Figure 2, from which risk events will be identified taking into account specific regulations and legislation.

Figure 2. Level 1 process [41].

In order to execute these processes and achieve strategic objectives, CGTI’s structure is divided into organizational units: Information Technology Infrastructure Service (SESIN); Information Systems Service (SESIS); Management and Governance Services (SEGOV); and Information and Communication Security Service (SESIC), as shown in Figure 3.

Figure 3. Structure of the General Coordination of Information and Communication Technology (CGTI) [42].

4. Results

4.1. Provide ICT Governance

According to the ISO/IEC 38500 [43], ICT governance is the system by which the current and future use of ICT is directed and controlled within the organization. Within CADE, the SEGOV (Figure 3) has as one of its attributions to manage the risks related to ICT governance. The attributions/responsibilities of the SEGOV are: 1. to plan, coordinate, and guide the actions of acquisition and contract management related to management and governance; 2. to manage projects related to ICT management and governance; 3. To implement and sustain management and governance solutions; 4. to identify, evaluate and propose technology solutions to support CADE’s last activities; 5. to propose policies and guidelines concerning the planning, implementation, and maintenance of activities related to information and communication technology governance; 6. to formulate and maintain an information and communication technology governance and management model.

In its PDTI, CGTI also listed its ICT needs regarding the strategic objective of Promoting ICT Management and Governance, which were considered in the phase of establishing the context for risk identification, which are: (1) Implement and formalize the processes of ICT Risk Management, ICT Business Continuity, ICT Contracting and Contract Management for ICT Goods and Services, ICT Governance, ICT Portfolio, and Project Management, and ICT Service Management; (2) Knowledge management project; (3) Standardization of the Artifacts of Contracting ICT Services and Goods Acquisitions and; (4) Implementation of the data integration and quality solution. In a case study carried out at CADE by Canedo et al. [42], after applying a questionnaire to the CGTI members/servers, the authors identified among the processes not defined and not implemented, the ICT Service Continuity, ICT Project Management and ICT Service Management processes. In addition, the authors identified the absence of some artifacts related to ICT processes that were already implemented at CADE.

Thus, based on the strategic objectives of PDTI, the ICT needs, and the duties of SEGOV, identifying risks in the process of Providing ICT Governance began. In this initial phase, the Brainstorming technique was used with the CGTI team. Five events were listed, which are: 1. flaws in the implementation of the Risk Management process at CGTI: of operational typology, these problems are caused by flaws related to the team’s knowledge about risks, prioritization of the risk management process, and implementations of the Agir system, its effects reflect in the exposure of risks that can affect the business, in the non-fulfillment of compliance rules and the accountability, fitting as internal control the use of ordinances and norms regarding risk management at CADE; 2. Non-formalization of the project management methodology: of an operational nature, it relates the events linked to projects and has as its causes the non-prioritization on the part of experienced members, the lack of knowledge of some members, and the low adherence to concepts directed towards project management, resulting in delays in the stipulated deadlines, lack of details in the results and standardization problems; 3. Failures in the management of human resources of ICT: with operational typology, these events occur due to lack related to corporate systems for people management, the adaptation of new employees, procedures for performance evaluation, and interaction of leaders on related topics, causing a high turnover of servers, difficulty in the viability of processes and drop in performance of employees, fitting as internal control the use of norms directed to people management; 4. Non-implementation of knowledge management: also of an operational nature, generated by the low knowledge management culture and lack of process definition, resulting in loss of organizational knowledge and discontinuity; 5. Failure in delivering value from CGTI to the business: of strategic nature, it is caused by failures related to the strategic alignment between business and ICT, communication of the ICT area with CADE’s senior management and governance structures, it leads to delivery problems, budget execution, affects the achievement of the organization’s goals and waste of time in non-relevant initiatives, whose internal control provides for the use of governance norms.

Once the risk events related to the process of Providing ICT Governance were identified by the CGTI team, the risk assessment process defined by the ISO 31000 [1] follows to the next step, risk analysis, which aims to understand the nature and characteristics of the identified risks. Having as a reference the criteria established by the CADE methodology, as presented in Section 3, the CGTI team analyzed the identified risk events defining the probability of occurrence, and the impact of such events in the accomplishment of the ICT objectives related to the process under analysis, the Table 1 presents this information, as well as the answers to the risks also defined by the team.

Table 1. Risk Assessment of the Provide ICT Governance process.

Event	Frequency	Weight	Impact	Weight	IxP	Risk Level	Risk Response
R01	90%	4	High	4	16	Extreme Risk	Reduce
R02	70%	4	Moderate	3	12	High risk	Reduce
R03	95%	5	High	4	20	Extreme Risk	Reduce
R04	80%	4	High	4	16	Extreme Risk	Reduce
R05	50%	3	Moderate	3	9	Medium Risk	Reduce

After selecting the answers to the risks, the next step is the creation of new internal controls or revision and improvement of already existing controls, regarding the risk events of the process to Provide ICT Governance, the CGTI defined actions to be implemented, as follows (1) Training activities; (2) Implementation of risk management according to CADE’s methodology; (3) Analyze alternatives for the AGIR System; (4) Publish and adopt Project Management methodologies/good practices; (5) Implementation of Pg. CADE; (6) Publicize the new employees’ adaptation process; (7) CGTI’s participation in the General Data Plan; (8) Encourage the use of project management tools, such as Wiki, Redmine, and GitHub; (9) Map CGTI’s business processes and; (10) Formalize CGTI’s Communication Plan. These actions are the responsibility of the CGTI coordinator and the other CGTI leaders and will be implemented by December 2021.

Completing this step provides the agency with the necessary inputs so that managers can continue to critically analyze and monitor the risks of the organization’s Providing ICT Governance process.

4.2. Provide ICT Infrastructure

Among the level I processes of CGTI is the process of Providing Information and Communication Technology (ICT) Infrastructure, whose sector responsible is the SESIN; the sector has the following attributions/responsibilities: 1. plan, coordinate and guide the actions of acquisition and contract management related to infrastructure; 2. Managing projects related to ICT infrastructure; 3. Implementing and sustaining communication and connectivity solutions; 4. Managing risks related to ICT management and governance; 5. Identifying, evaluating, and proposing technology solutions to support CADE’s last activities; 6. Coordinate the sustaining of information technology and communication assets; 7. assist users in operating information technology and communication assets; 8. maintain the operability of CADE’s safe room.

The risk events defined by the CGTI team, their causes, effects, and typology, as well as the internal controls already in place related to the Provision of ICT Infrastructure process, are described in Table 2.

Table 2. Risk events identified in the Provide ICT Infrastructure process.

Event	Causes	Effects	Tipology	Internal Control
R01. Lack of technical knowledge of the product or equipment to be purchased	1. Lack of studies and too many demands to allow time for market solutions	1. Failure to specify requirements in contracting	Operational	1. Hiring process for ICT solutions, based on IN 01 [44]
R02. Lack of knowledge of laws and regulations related to ICT procurement	1. Lack of studies and too many demands to have enough time to get up to date with the new legislation	1. Failure in the contracting process (objections, re-publication of the public notice, abandoned bidding, etc.)	Legals	1. Hiring process for ICT solutions, based on IN 01 [44]
R03. Failure to communicate project requirements and needs	1. Failure in the alignment between ICT and business areas	1. Hiring of solutions that do not meet the needs of the business areas	Operational	1. Hiring process for ICT solutions, based on IN 01 [44]
R04. Poorly dimensioned service provision contracts related to ICT activities	1. Failure in the preliminary technical study of the contracting	1. Failure to meet the organ’s needs	Operational	Hiring process for ICT solutions, based on IN 01 [44]
R05—Poorly designed project scope	1. Lack of knowledge of the project team	1. Project deliverables not meeting general requirements as requested by stakeholders	Operational
R06—Poorly sized team to manage the demands	1. Lack of servers at SESIN	1. Project delivery not meeting the general requirements as requested by the stakeholders	Operational	PDTIC
R07—Lack of knowledge in project management	1. Lack of prioritization by the team on issues related to technical training	1. Poorly managed projects	Operational	1. Employees training program
R08—Failure in the institution’s logical and/or physical network	1. Electrical problems and/or network equipment failure	1. Failure access to CADE’s cooperative network	Operational	1. Generator, redundant sources, nobreaks
R09—Internet link unavailability	1. Infovia link problems	1. Lack of access to the external network by the institution	Operational	1. Redundant link
R10—Unavailability of ICT infrastructure and systems	1. Failure in CADE’s physical and virtual servers	1. Unavailability of access to CADE’s systems	Operational	1. Generator, redundant sources, nobreaks, support, and warranty for equipment
R11—Identify and propose obsolete ICT solutions	1. Requirements defined by the customer not so clear, technical staff outdated with the issues related to infrastructure	1. Acquire solutions that will not be used by users or that do not meet current security requirements	Operational
R12—Lack of access to systems and resources due to lack of licensing	1. Failure to plan TIC hiring	1. Stop using a solution and use non-compliant solutions.	Operacionais
R13—Lack of maintenance contracts and service center	1. Failure in hiring planning	1. No technical support for the ICT assets and ICT assets out of warranty and without a maintenance contract	Operational
R14—Lack of trained personnel for sustaining ICT assets	1. Lack of an ICT career at CADE, the dependence of the institution on careers from other agencies to provide its ICT staff	1. Failure in sustaining the ICT environment	Operational	PDTIC
R15—Lack of knowledge and procedures of the help desk about some of the institution’s systems	1. Lack of knowledge management process and knowledge base	1. Passing on wrong information and procedures to users, causing non-resolution of problems	Operational	1. Knowledge base
R16—Lack of effective communication to ICT users	1. Lack of a single channel and communication plan	1. Asymmetry of information, passing misleading and/or outdated information to users, and lack of alignment of teams	Operational
R17—Interruption of power supply	1. Failure in the supply from the electric power utility company	1. Increased expenses for generator supply	Operational	1. Specific and general generator, including nobreaks, in the Uninterruptible Power Supply (UPS) room
R18—Failure in the climatization equipment	1. Electrical problems and/or failure in the climatization equipment	1. Room overheating, equipment shutdown, and infrastructure unavailability	Operational	1. Online monitoring
R19—Generator set failure in case of power interruption	1. Electrical/mechanical problems in power generation equipment	1. Unavailability of ICT infrastructure and vulnerability of physical access to the room	Operational	1. UPS room, auxiliary generator, monitoring contracts
R20—Lack and/or failure of preventive maintenance	1. Lack of maintenance contract management	1. Depreciation of equipment and loss of manufacturer’s warranty	Operational
R21—Unauthorized physical access	1. Failure in the safe room access system or procedure	1. Sabotage, espionage, equipment degradation, and access to restricted information and data	Operational	1. Ordinance No. 406
R22—The difficulty of physical access to the safe room at unauthorized times	1. Lack of authorization for employees to enter at special times	1. Inability to solve problems alarmed by the safe room system	Operational	1. Ordinance No. 406

Once the risk events were identified for the Providing ICT Infrastructure process, the CGTI team performed the risk assessment, defining the probability and the impact of these events on its activities and goals, according to Table 3.

Table 3. Risk Assessment of the Provide ICT Infrastructure process.

Event	Frequency	Weight	Impact	Weight	I times P	Risk Level	Risk Response
R01	20%	2	High	4	8	Average	Accept
R02	40%	3	High	4	12	High	Transfer
R03	40%	3	Moderate	3	9	Average	Reduce
R04	20%	2	Moderate	3	6	Average	Accept
R05	40%	3	High	4	12	High	Reduce
R06	80%	4	High	4	16	Extreme	Avoid
R07	40%	3	Moderate	3	9	Average	Reduce
R08	10%	1	High	4	4	Low	Accept
R09	40%	3	High	4	12	High	Reduce
R10	20%	2	High	4	8	Average	Accept
R11	20%	2	Moderate	3	6	Average	Accept
R12	20%	2	High	4	8	Average	Accept
R13	20%	2	Moderate	3	6	Average	Accept
R14	95%	5	High	4	20	Extreme	Avoid
R15	40%	3	Low	2	6	Average	Accept
R16	20%	2	Moderate	3	6	Average	Accept
R17	20%	2	Catastrophic	5	10	Average	Accept
R18	20%	2	Catastrophic	5	10	Average	Accept
R19	20%	2	Catastrophic	5	10	Average	Accept
R20	20%	2	Catastrophic	5	10	Average	Accept
R21	20%	2	Catastrophic	5	10	Average	Accept
R22	40%	3	Moderate	4	12	High	Avoid

After selecting the answers to the risks, the next step is the creation of new internal controls or review and improvement of existing controls; regarding the risk events of the Provision of ICT Infrastructure process, the CGTI defined actions to be implemented, as follows (1) Create a process/manual for raising technical requirements; (2) Participation of the infrastructure team since the beginning of the process/project; (3) Create a communications plan; (4) Update the ordinance No. 406. These actions are the responsibility of the entire CGTI and, more specifically of SESIN, and aim to be implemented by December 2021.

With the completion of this stage, the institution has inputs to proceed with the critical analysis and monitoring of the risks of Providing CADE’s ICT Infrastructure.

4.3. Manage Information System and Manage Corporate Data

According to CADE’s Information and Communication Technology Master Plan 2017/2020, CGTI is the unit responsible for the management of information and communication technology resources, having SESIS as its subordinate area, as presented in the Figure 3, SESIS’ attributions are: 1. planning, implementing and making available solutions based on information systems to meet business needs; 2. promoting the development of corporate information systems based on the Electronic Government Interoperability Standards and e-gov accessibility; 3. Coordinating the activities related to the systems architecture management; 4. Supervising the systems development processes for the information technology and communication projects; 5. Performing the acquisitions related to the information systems portfolio of CADE’s Information Technology and Communication Master Plan; 6. Managing projects related to the information systems portfolio of CADE’s Information Technology and Communication Master Plan; 7. Continuity, support of third-party platforms; 8. Data management and governance.

The last two attributions (7 and 8) are not formalized in the Internal Rules of the Organ since the managers added them at the time of the interview for this work. However, since SESIS is responsible for the two-level 1 processes presented in Figure 2, being them (1) Manage Information System and (2) Manage Corporate Data, Table 4 and Table 5 present the identification of the risk events of the respective processes.

Table 4. Identified Risk Events in the Manage Information System process.

Risk Events	Causes	Effects	Typology	Internal Control
R01—Lack of knowledge of business specifications and needs.	1. Too many requirements to have enough time to deepen the understanding of the need; 2. Insufficient knowledge of CADE’s final processes.	1. Inadequate specifications of system requirements.	Operational Risks	1. Awareness of the areas regarding the systems specification criteria and the importance of the phase in the project’s construction.
R02—Lack of communication of project requirements and needs.	1. Lack of alignment between SESIS and the business areas.	1. Implementation of solutions that do not fully meet the needs of the business areas.	Operational Risks	1. Acting with the business areas and software factory regarding the importance of alignments; 2. Improve and encourage the registration/consultation to Redmine (knowledge base).
R03—Improperly specified system.	1. Failure in technical studies and system design.	1. Failure to meet the needs of the business area.	Operational Risks	1. Acting together with the business areas and the software factory regarding the importance of specification alignment and validation.
R04—Insufficient human resources.	1. Lack of competitive exams to increase the IT team’s headcount	1. Overload of the team; 2. Non-achievement of the goals established for CADE.	Operational Risks	1. Selective process for capturing qualified resources.
R05—Systems not compliant with e-Government standards.	1. Lack of knowledge of e-Government standards.	1. Impacts on system interoperability; 2. Difficulties in system portability; 3. Difficulties in system maintenance.	Operational Risks	1. Validation process via “sonar” and pen-test; 2. Existence of guarantees foreseen in the contract by the Federal Government’s guidelines.
R06—Incomplete/partial system development.	1. Lack of documentation of the system specification; 2. Lack of knowledge transfer to the responsible team; 3. Lack of human resources.	1. System inadequate to the needs; 2. rework; 3. compromise of the CGTI’s objectives;	Operational Risks	1. Awareness of the areas regarding the criteria for the specification of the systems and the importance of the phase in the construction of the project according to the guidelines of the Federal Government; 2. Acting together with the business areas and the Software Factory regarding the importance of alignments and following the guidelines of the Federal Government.
R07—Inadequate architecture.	1. Lack of knowledge in system architecture management; 2. Lack of specification and implementation of the architecture.	1. Difficulty in future continuity.	Operational Risks	1. Adopting architecture according to the good practices of the market.
R08—Inadequate team size for the management of the demands.	1. Lack of servers at SESIS.	1. Implementation of the architecture not meeting the general requirements as specified by IT.	Operational Risks	1. Selective process for capturing qualified resources.
R09—Lack of methodology for monitoring development cycles.	1. Lack of knowledge about development methodologies.	1. Delay in the delivery schedule.	Operational Risks	1. Define a development follow-up methodology. 2. Guarantee that the methodology is an integral part of the contract with the Software Factories.
R10—Lack of technical knowledge of the systems presents in the portfolio for acquisition.	1. Lack of studies and excess demands to allow time for proper specification.	1. Inadequate acquisition.	Legal Risks	1. Training for the involved teams.
R11—Lack of knowledge of laws and regulations related to procurement.	1. Lack of studies and excessive demands; 2. A high number of changes in normative instructions.	1. Rework in the acquisition process (impugnations, re-publication of the public notice, abandoned bid, etc.).	Legal Risks	1. Training for the teams involved.
R12—Inadequate management of the projects of the information systems portfolio of PDTI.	1. Lack of knowledge/mapping of ongoing projects; 2. Redmine does not cover the entire flow of software development.	1. exposure to risks that could affect the business; 2. loss of visibility of ongoing projects.	Operational Risks	1. Improve the platform and processes for adequate project management (Redmine); 2. Team training.
R13—Project discontinuity.	1. Lack of defined project management methodology; 2. Legislative turnover; 3. Changing technologies; 4. Platform discontinuity due to intrinsic security vulnerabilities.	1. Impact on the reach of Agency’s objectives; 2. rework and cost with the contracting of new platforms.	Operational Risks	1. Preventive management of the platform’s life cycle; 2. Permanent routines for assessing the security of solutions.
R14—Lack of knowledge of third-party platforms.	1. Lack of documentation of the platforms; 2. Lack of training; 3. Lack of knowledge of the technologies used in the third-party platforms.	1. Impact on business continuity; 2. Difficulty or impossibility to implement and maintain the solution; 4. Rework.	Operational Risks	(1) Training of the teams; (2) Supply of complete and updated documentation; (3) Discontinuity of the platform; (4) Carrying out a previous viability study to implement the solution.

Table 5. Identified Risk Events in the Corporate Data Management process.

Risk Events	Causes	Effects	Typology	Internal Control
R01—Lack of Data Governance methodology.	1. Lack of Data Governance methodology.	1. Exposure to risks that may affect the business.	Operational Risks	1. Staff training on data governance methodologies; 2. action plan for adherence to the principles of the methodology.
R02—Non-existence of data architecture with a unified standard.	1. Non-identification and planning of standard data requirements; 2. Receiving diversified data architecture.	1. Difficulty in meeting CADE’s data requirements.	Operational Risks	1. Unification of data architecture; 2. Data architecture validation process, in the development phase.
R03—Lack of data lifecycle management.	1. Non-existence of data flow identification at CADE.	1. Impact on data protection, integrity, and privacy assurance; 2. Impact on compliance with regulatory requirements, such as LGPD.	Operational Risks	1. Identification and documentation of the data flow.
R04—Absence of documentation management and data content.	1. Non-existence of an Enterprise Content Management (ECM) system.	1. Increased data management costs; 2. Impact on data recovery performance. 3. Impact on data quality.	Operational Risks	1. Non-existence of an Enterprise Content Management (ECM) system.
R05—Insufficient human resources.	1. Lack of competitive examinations to increase the number of IT staff; 2. Creation of a Data Governance service.	1. Overload of staff; 2. Impossibility of carrying out adequate data governance.	Operational Risks	1. Selective process for capturing qualified resources; 2. Make the top management aware of the relevance of data governance.

Once the risk events were identified for the processes under the responsibility of the SESIS unit, the CGTI team performed the risk assessment, defining the probability and impact of these events on its activities and objectives, according to the Table 6 and Table 7, respectively.

Table 6. Risk Assessment of the Manage Information System process.

Event	Frequency	Weight	Impact	Weight	I times P	Risk Level	Risk Response
R01	50%	3	Moderate	3	9	Average Risk	Reduce
R02	50%	3	Moderate	3	9	Average Risk	Reduce
R03	40%	3	Moderate	3	9	Average Risk	Reduce
R04	80%	4	High	4	16	Extreme Risk	Reduce
R05	50%	3	High	4	12	High risk	Transfer
R06	30%	3	Moderate	2	6	Average Risk	Reduce
R07	30%	3	Moderate	4	12	High risk	Avoid
R08	50%	4	Moderate	4	16	Extreme Risk	Transfer
R09	10%	1	Moderate	3	3	Minor risk	Accept
R10	30%	3	Moderate	4	12	High risk	Transfer
R11	20%	2	High	4	8	Average Risk	Reduce
R12	20%	2	High	4	8	Average Risk	Reduce
R13	10%	1	Moderate	3	3	Minor risk	Accept
R14	10%	1	High	4	4	Minor risk	Accept

Table 7. Risk Assessment of the Manage Corporate Data process.

Event	Frequency	Weight	Impact	Weight	I times P	Risk Level	Risk Response
R01	50%	4	High	4	16	Extreme Risk	Reduce
R02	30%	3	Moderate	3	9	Medium Risk	Reduce
R03	50%	4	Moderate	3	12	High risk	Reduce
R04	50%	4	Weak	2	8	Medium Risk	Reduce
R05	80%	4	High	4	16	Extreme Risk	Reduce

After selecting the responses to the risks, the next step is the creation of new internal controls or revision and improvement of existing ones: (1) Training regarding the structure and quality of the specification of demands; (2) Establish project importance criteria and make the business area aware of the adherence to the established criteria; (3) Strengthening the business areas and software factory regarding the importance of specification alignment and validation; (4) New tender; (5) Establish mechanisms to validate the use of the methodology; (6) Guarantee a prioritized agenda for training; (7) Acquisition of a new solution to support project and portfolio management; (8) Creation of scenarios/studies about the long-term viability of the project; (9) Establish preventive criteria to avoid the acquisition of a platform with insufficient documentation and outside the market standards. These actions are the responsibility of the entire CGTI and, more specifically, the SESIS unit and aim to be implemented by December 2022, considering that item 4 also requires the participation of the General Coordination of People Management, the CGESP.

Regarding the process of Managing Corporate Data, the actions defined for implementation were: (1) Structure of a data governance service and (2) Qualification of professionals to work with data governance. These actions are the responsibility of the entire CGTI and, more specifically, of the SEGOV and SESIS units and have the goal to be fully implemented by December 2022, considering that item 2 is on an ongoing basis. With the completion of this stage, CGTI has inputs to proceed with the critical analysis and risk monitoring of the processes Information System Management and Corporate Data Management continuously and cyclically, in accordance with ISO/IEC 31000 [1].

The CGTI unit responsible for Managing ICT Services and Support is the SEGOV. To assist the team in identifying the risk events of these processes, we use the ICT Service Catalog (CSTIC), a document whose goal is to structure the information about the services offered and their tasks, to guide customers and users of the services, which are: 1. internet access; 2. network access; 3. Monitoring of sessions/meetings; 4. antivirus; 5. data storage; 6. update the IT environment; 7. data backup; 8. database; 9. closed-circuit TV; 10. service center; 11. electronic mail; 12. systems development; 13. firewall; 14. corporate printing; 15. network infrastructure; 16. Network Server; 17. Storage; 18. Portal support; 19. Systems support; 20. Software support; 21. Hardware support; 22. Corporate Telephony.

The risk events defined by the CGTI team, their causes, effects, and typology, as well as the existing internal controls related to the Manage ICT Services and Support process, are 1. Lack of service standardization: classified as an operational risk, this event is caused by lack of knowledge and a service script, causing standardization and rework problems, having as internal control the use of the GLPI Knowledge Base; 2. Missing a deadline to hire support: considered an operational risk, this risk event occurs through excess demand and lack of definition of the project’s scope, resulting in the discontinuity in the provision of support services and an increase in operational costs, with a planned flow of contract renewals and checkpoint meetings; 3. Centralization of knowledge in a few people: being an operational risk, this event, caused by the amount of personnel and lack of knowledge management process, results in the lack of a quick resolution of a problem and dependence on collaborators with specific skills to solve it, in which the internal control mentions the Demand Management System and the Password Vault System; 4. Poorly humanized customer service: considered an image risk, it is caused by lack of training and compliance to service protocols, generating a poor quality of service and harming the image of CGTI, impacting negatively on the User Satisfaction Index (INSI). Once the risk events have been identified, the CGTI team performed the risk assessment, defining the probability and the impact of these events on its activities and objectives, according to Table 8.

Table 8. Risk Assessment of the Manage ICT Services and Support process.

Event	Frequency	Weight	Impact	Weight	I times P	Risk Level	Risk Response
R01	60%	4	Moderate	3	12	High Risk	Reduce
R02	20%	2	Catastrophic	5	10	Average Risk	Reduce
R03	70%	4	High	4	16	Extreme Risk	Reduce
R04	40%	3	Moderate	3	9	Average Risk	Reduce

To finalize the risk mapping of the Manage ICT Services and Support process, the CGTI team proposed new internal controls, assigning responsibilities and deadlines, in order to reduce the probability of occurrence of the identified risks, which are: 1. start monthly auditing if all calls have the associated knowledge bases, and if the knowledge bases are feasible (per sample); 2. Monthly monitoring of the hiring process in the control point meetings; 3. actions that promote the sharing of knowledge; 4. train the employee responsible for the relationship with outsources with the course “Disney Way to delight customers”; in which the responsibilities are of control inspectors, CGTI, the hiring planning team, and SEGOV, with deadlines set until December 2021. With the information generated, CGTI has inputs to perform the monitoring and critical analysis of all stages of risk management of the Manage ICT Services and Support process. According to ISO/IEC 31000, the purpose of monitoring is to ensure and continuously improve the quality and effectiveness of the process.

4.4. Promote Information and Communication Security

According to the ISO 27001 [29], organizations need to have an information security management system; its implementation is a strategic decision and aims to preserve the confidentiality, integrity, and availability of information. At CADE, the Information and Communication Security Policy (POSIC) was defined, which structure is composed by the Information and Communication Security Committee (CSIC), by the CIS manager, and by the Network Incident Treatment and Response Team (ETIR). The CGTI has as one of its subordinated sectors the SESIC unit. Its attributions/responsibilities are (1) to plan, coordinate and guide the acquisition actions and contract management related to information and communication security; (2) to manage projects related to Information and Communication Security; (3) to implement and sustain information and communication security solutions; (4) to manage risks related to information and communication security; (5) to identify, evaluate and propose technology solutions to support CADE’s last activities; (6) to inform, guide and supervise the acquisition actions and contract management related to information and communication security. Furthermore, to inform, guide, and supervise CADE’s units to fulfill the information security norms applied to the information and communication technology; (7) To support the implementation of the information and communication security policy; (8) To perform actions related to ICT regarding the General Data Protection Law and the National Program of Sensitive Knowledge; (9) To promote disclosure campaigns and training, aiming to disseminate the Information and Communication Security Policy and the culture of information cybersecurity among internal and external users of information and communication technology resources.

The ISO/IEC 27005 [45] provides guidelines for the risk management process, specifically for information and communication security. The risk event identification step is performed by identifying the assets, threats, controls, vulnerabilities, and consequences to determine the events that may cause a potential loss to the organization. Among CGTI’s assets, we can categorize them in two sections: Primary Assets (PA) and Support and Infrastructure Assets (ASI). The AP consists of nine IDs corresponding to the information and communication security area, whose responsibility is exclusive to the head of SESIC, these being: (1) Management over acquisitions and correlative contracts; (2) Creation and management of projects; (3) Implementation of solutions; (4) Risk analysis; (5) Identification, evaluation and provide solutions in order to subsidize CADE’s finalist activities; (6) Inform CADE’s units about the measures taken and that affect the ICT sector; (7) Support to the implementation of policies aimed at this segment; (8) Adequacy of the internal ICT policies with the LGPD and the National Sensitive Knowledge Program; (9) Promote knowledge to internal and external users about the Information and Communication Security Policy in order to cultivate a culture of cyber security. On the other hand, ASI deals with CADE’s electronic equipment, physical and virtual spaces, which are the responsibility of the head of SESIN. These are (1) Technical Rooms; (2) Safe Room; (3) AWS Cloud (Amazon); (4) CADE’s Cloud; (5) Computers and Notebooks; (6) Servers’ Mobile Devices.

The team performed the identification of threats, which according to ISO/IEC 27005 [45] have the potential to compromise the assets, and therefore the organization. Threats can come from inside or outside the organization. The standard also highlights that a threat can affect more than one asset. The existing internal controls in CGTI were identified, such as the standards and processes already defined and the vulnerabilities. These, in turn, do not cause harm by themselves because there needs to be a corresponding threat to exploit it. Table 9 presents the identified items applied to the primary assets and the support and infrastructure assets.

Table 9. Threats, Controls, and Vulnerabilities.

ID	Threats	Controls	Vulnerabilities
AP01		1. Specific rules and procedures for hiring ICT solutions;	1. Unnecessary services that remain enabled; 2. Lack of human resources;
AP02			1. Lack of human resources;
AP03	1.Information system saturation;		1. Backup-inexistence of a restoration plan; 2. Uncontrolled copying; 3. Lack of human resources; 4. Non-existence of a change control procedure;
AP04		1. Information Security Policy (POSIC); 2. Standards and procedures;	1. Lack of human resources; 2. Lack of procedures for handling classified information; 3. Lack of a continuity plan;
AP05	1. Information system saturation;	1. Information Security Policy (POSIC);	1. Lack of human resources;
AP06	1. Improper disclosure; 2. Recovery of recycled or discarded media; 3. Unauthorized use of equipment; 4. Illegal copying of software;	1. Information Security Policy (POSIC); 2. Information Security Policy (POSIC); 2. CADE Ordinances No 405 to 416/2019;	1. Lack of security awareness; 2. insufficient training in security; 3. lack of human resources; 4. non-existence of failure reports in the audit files (logs) of the activities of administrators and operators; 5. non-existence of periodic audits (supervision);
AP07		1. Information Security Policy (POSIC);	1. Non-existence of a continuity plan; 2. Non-existence of policies for the correct use of telecommunication and message exchange; 3. Lack of human resources; 4. Non-existence of a formal procedure for the supervision of ISMS records;
AP09		1. Information Security Policy (POSIC); 2. Standards and procedures;	1. No or insufficient clear desk and clear screen policy; 2. Lack of security awareness; 3. Lack of human resources; 4. Insufficient security training;
ASI01	1. Failure of telecommunication equipment; 2. Interruption of power supply; 3. Failure of the air conditioning or water supply system; 4. Fire; 5. Destruction of equipment or media; 6. Unauthorized eavesdropping; 7. Theft of media or documents; 8. Theft of equipment; 9. Recovery of recycled or discarded media; 10. Equipment failure; 11. equipment malfunction; 12. Information system saturation;	1.Physical access control system; 2. Closed-circuit TV;
ASI02	1. Failure of telecommunication equipment; 2. Interruption of power supply; 3. Fire; 4. Destruction of equipment or media; 5. Equipment failure;	1.Physical access control system; 2. Closed-circuit TV;
ASI03	1. Remote espionage; 2. Theft of media or documents; 3. Recovery of recycled or discarded media;	1. Logical access control system;
ASI04	1.Remote espionage; 2. Theft of media or documents; 3. Recovery of recycled or discarded media;	1. Logical access control system;
ASI05	1. Interruption of power supply; 2. Fire; 3. destruction of equipment or media; 4. Remote eavesdropping; 5. Unauthorized eavesdropping; 6. Theft of media or documents; 7. Theft of equipment; 8. Recovery of recycled or discarded media; 9. Improper disclosure; 10. Equipment failure; 11. Equipment malfunction; 12. Information system saturation	1. User protection system—Antivirus; 2. Perimeter protection system—Firewall; 3. Physical access control system; 4. Closed-circuit TV;
ASI06	1. Destruction of equipment or media; 2. Remote eavesdropping; 3. Unauthorized eavesdropping; 4. Theft of media or documents; 5. Theft of equipment; 6. Recovery of recycled or discarded media; 7. Improper disclosure; 8. Equipment failure; 9. Equipment malfunction;	1. User protection system—Antivirus;

With the information described in Table 9, the CGTI team performed the identification of risk events related to SESIC assets and processes; we characterized the Risk Events with their causes, effects, and typology (image, legal, operational or reputational risk), according to the criteria established by CADE’s methodology. These are: (1) Non-implementation of the Continuity Management Process: of an operational nature, this event occurs due to the absence of human resources and failures in prioritizing the process, whose effects reflect in non-compliance with the recommendations of POSIC and the Information and Communication Technology Governance Policy (PGTIC), lack of a Project Continuity Policy, lack of a Management Plan—represented by the Disaster Recovery Plan (DRP) and the Operational Contingency Plan and reflects in the delay in response to incidents, for which the internal control proposes the use of POSIC/PGTIC and a defined Risk management Process; (2) Failure in the hiring of solutions and services: considered an operational risk, the event is caused by the lack of knowledge in the bidding process and of the solution to be contracted, which generates a misallocation of public resources and solutions that do not meet the needs, as internal control, provides for the application of standards related to hiring and contracting processes of ICT solutions; (3) Discontinuity of projects: being an operational risk, this event is motivated by the absence of human resources and a lack of project management methodology, which results in a compromising of the reach of CGTI’s objectives, for that CADE foresees in its internal control the use of Public Administration Norms—contemplating the Federal Comptroller General (CGU), the Federal Audit Court (TCU) and the Federal Attorney General (AGU)—and the use of Good Practice Manuals; (4) Incomplete/partial implementation of solutions: also of an operational nature, occurs due to the lack of knowledge of the solution (including the transmission of the same to the members of the portfolio) and the absence of human resources, generating expenditure of resources, compromise with the CGTI objectives and a greater possibility of compromising information security, which leads the internal control to analyze contractual specifications; (5) Inexistence of a formalized risk management process: considered an operational risk, this event occurs as a result of lack of knowledge, prioritization and absence of human resources, which compromises factors linked to information security; (6) Data leakage: considered a risk to CADE’s image and reputation, this event of serious nature is caused by faults related to the Risk Management Process not defined, knowledge in risk management and the absence of human resources with expertise in the information security area, which causes mainly data exposure (contemplating personal data, confidential information) and consequently compromises the body’s image, leading to the use of security solutions (firewall, antivirus) and norms; (7) Non-compliance with information security norms by the business areas: considered an operational risk, it is caused by the incompatibility of the solution with the CGTI structure and the lack of knowledge of security standards, resulting in vulnerability in the network and impossibility to implement a solution; (8) Unauthorized eavesdropping: being an image and reputation risk, it is caused by the lack of cameras in the technical rooms and the absence of access control, which result in an exposure of data and unauthorized copies, in which the internal control provides for the individual configuration of all virtual ports and the deactivation of unused ports; (9) Attempted improper access: Considered an operational risk, this event occurs due to failure in equipment configuration and update in security modules, which generates vulnerability in equipment, possibility of undue access—consequently having access to sensitive data—and privilege scale, being up to internal control the segregation of the network and the use of physical and logical access standards; (10) Lack of implementation of LGPD processes: of a legal nature, this event—whose causes are the same as in item (1)—generates a non-compliance with the Federal Government’s best practices guide and with the laws imposed in the LGPD.

Table 10 presents the assessment of the risk events identified by the team; by analyzing the probability and impact of the identified risk events, the team was able to assess the level of risk and then select how they will respond to the risk.

Table 10. Risk Assessment of the Promote Information and Communication Security process.

Event	Frequency	Weight	Impact	Weight	I times P	Risk Level	Risk Response
R01	90%	5	Weak	2	10	Average Risk	Reduce
R02	30%	2	High	4	8	Average Risk	Reduce
R03	40%	3	Moderate	3	9	Average Risk	Reduce
R04	60%	4	Moderate	3	12	High risk	Transfer
R05	90%	5	High	4	20	Extreme Risk	Reduce
R06	10%	2	High	4	8	Average Risk	Reduce
R07	80%	4	Moderate	3	12	High risk	Reduce
R08	5%	1	High	4	4	Minor risk	Accept
R09	95%	5	Moderate	3	15	Extreme Risk	Avoid
R10	90%	5	Moderate	3	15	Extreme Risk	Reduce

After selecting the risk responses, the next step is to create new internal controls or review and improve existing ones: (1) implementation of the business continuity management process; (2) creation of a process/manual for collecting technical requirements; (3) hiring of specialized information security services; (4) formalization of the risk management process; (5) implementation of LGPD processes; (6) campaigns and user training to raise awareness; (7) definition of procedures and standards for periodic scans; (8) software and equipment update management policy; (9) implementation of vulnerability management procedures; and, (10) hiring of intrusion testing services. These actions are the responsibility of the entire CGTI and, more specifically, of the SESIC unit, with the head of SEGOV, all of which will be implemented by December 2022. With the completion of this stage, the CGTI has inputs to proceed with the critical analysis and monitoring of the risks of the process of Promoting Information and Communication Security in a continuous and cyclical manner.

4.5. Discussion

The quality of public services is the best indicator of the good functioning of the state and the government, these exercising their role through the federal public administration. Increasing the quality of services requires good coordination of public agencies at any level as well as increasing the performance of these entities. An increased degree of public service quality means increasing citizens’ trust in federal public administration. The implementation of risk management process requires special attention to detail being a large-scale process whose actions aim to streamline federal public administration. At the level of federal public administration, the implementation and/or use, depending on the stage at which the implementation process is, of the ISO 31.000 is monitored and supported. The ISO 31.000 is especially recommended because over the last decades it has been shown that ISO can be used in any type of public organization.

In this context, this work was motivated based on a need to generate new insights into ISO 31.000-based risk management. ISO 31.000 use is an essential technique for good risk management. After applying the ISO 31.000 guidelines on identification, classification, impact, level and risk response, it was possible to define the organization’s threats, controls and vulnerabilities. Furthermore, we found that the ISO 31.000 guidelines provide good guidance in identifying and analyzing risks. This study has some implications for research and practice. For research, our study can help researchers seeking to advance ISO 31.000-Based Risk Management. For instance, the results of this paper show the use of ISO 31.000 in the risk management. Thus, the reported information can guide researchers to identify gaps and develop new technological solutions to automate and minimize human effort in ISO 31.000-based risk management activities and the decision-making process. For practitioners, this study shows how public companies can use risk management with the ISO 31.000. Therefore, they can use it to understand the risk management use process and use the existing resources in the company to improve organizational learning in risk management. In addition, can use the results to support the decision-making process and support the professionals in managing risk by reusing knowledge and assisting in decision-making. This can make it easier to identify, analyze and evaluate risks in the company’s organizational process and help them to use ISO 31.000 in the company.

5. Threats to Validity

This research presents some threats that may affect the results. The first involves the communication gap among members of CADE’s ICT governance team, which leads to problems such as (1) raising irrelevant or superficial risks to the organization’s context; (2) ignoring potential risks due to lack of knowledge; and (3) lack of an in-depth validation of all risks identified during the process. With these risks identified, we held meetings with those responsible for CADE’s ICT governance to present and detail the identified risks and mitigate this threat.

Another threat is related to ICT processes that have not been mapped systemically by the ICT management and governance team. The lack of modeling of all processes can lead to a limited view of potential risks linked to its activities, which may negatively impact CADE’s risk management process. In order to mitigate this threat, CADE started modeling the ICT Governance processes that were not yet systematically modeled.

Regarding the external factors that may cause some threat to this study, we can mention that some team members do not have an adequate level of proficiency in the organization’s ICT Management and Governance processes, causing the imprecision of details and the possibility of failures. To mitigate this risk, we held meetings with managers to validate the risks identified and discuss employees’ perceptions about each risk.

Finally, Table 9—regarding the events of the Support and Infrastructure Assets—needs detailed information regarding the vulnerabilities that can occur through a failure, such as telecommunication problems, fire, and theft, the consequences of which can directly affect the administrative routines of the organization.

6. Conclusions

In this paper, we conducted a study to investigate the issues related to risk management. The identified works were essential to develop the case study and define a methodology for CADE’s risk management. Furthermore, from the review, it was possible to identify the variables to be analyzed in the risk management process, from identifying to monitoring risks.

In our findings, it is possible to conclude that due to the cyclical nature of the risk management process, it is possible to apply different techniques in the same steps based on the ICT macro processes. Therefore, being in opposite situations, it is not necessary to define a specific technique for each step of the process but to define a set of techniques and tools at different times for the same step. Due to this, it is understood the importance of the context definition step contemplated in the methodology proposed by ISO 31000, which enables the organization to define a set of techniques that can assist in the other steps of the risk management process, besides allowing a risk management process design adapted to the organization’s context.

This also contributes to helping mitigate some threats encountered in the development of the work, since from a process design that includes a set of techniques for each step, the stakeholders will be provided with inputs that promote good communication between teams and tools adapted to survey and assess the relevant risks, resulting in a consistent result that reflects the reality of the organization. As future work, we propose to address the identified validation threats and will advance CADE’s employees’ understanding of the adequacy of their processes with the Brazilian General Data Protection Law.