Getting 'IT' Right
A Thematic Inspection

4. Implementation of Computer Projects

Procurement

4.1 Once the need for an IS/IT system has been identified and approved, a supplier needs to be identified and a price agreed - whether that supplier is an external contractor or an in-house team. In general, HM Inspector found that procedure was well-conducted and that good value for money was achieved.

4.2 The quality of operational requirements documents - which explain to the supplier what the customer wants - was variable. For example, good specifications had been produced by a number of forces who had recently installed touch-screen systems in their force control rooms: it was based on the Smith 3 specification and on each occasion was fit for its purpose. However, in other cases, data definitions and applications descriptions did not exist or, in the cases where they did exist, were seldom formally approved by the user.

4.3 Some forces had experienced difficulties with suppliers over the cost of software changes, because of the way in which the applications were developed. The difficulty stemmed from the use of Rapid Applications Development (RAD) which dispenses with a definitive specification by being built on closely controlled feasibility, analysis, design, build and implementation phases - each of which should be subject to a time limit and close change control and cost control. RAD is a sound system, and its use represents good practice. It has been used successfully by a number of forces - involving the signing-off of work changes by users, which places an obligation on both user and analyst to get it right first time. Where difficulties have been experienced, they are largely due to poor contractual processes and lack of control of the "wish list" of personnel working closely with contractors.

4.4 HM Inspector found too many examples of contractual arrangements which were based on terms and conditions provided by suppliers. Whilst these contracts were frequently revised in the light of legal advice obtained by forces, the advantage was always potentially with the supplier. It is good practice for the Scottish police service to formulate its own terms and conditions for supply and maintenance of contracts, which should be available with the invitation to tender. These terms and conditions need not be written afresh for each procurement: standard terms and conditions can give a good starting point, and forces can learn from others who have already carried out a similar procurement.

4.5 HM Inspector was concerned to discover that not every organisation inspected could easily produce contractual documents for examination and that there was a lack of discipline in the dating of documents and the version control of technical, contractual and policy documents. Shortcomings in these bureaucratic tasks can lead to serious problems. It makes it easier for the contractor to get away with shortcomings in the work - obliging the client to pay more or to accept a system which is less good than planned. It is also critical for auditing purposes that forces can easily produce contractual documents and documents leading up to the approval of the project.

4.6 Few maintenance contracts produced for examination during the inspection contained clauses to protect the customer if the applications or systems did not meet performance and availability criteria. In particular, contracts rarely allowed the force to reduce its maintenance payments if the availability of the application or system fell below specified levels. On the other hand, HM Inspector identified best practice in the form of supply contracts which apply liquidating damages in the event of failure to deliver and, in the case of maintenance contracts, give discounts if speed and availability criteria are not met. These contracts, based on templates supplied by CCTA or the Institute of Purchasing and Supply were excellent documents - and, in one instance, an organisation involved paid a fraction of its maintenance charges because of non-availability of the system in 1996/97.

4.7 Some organisations paid maintenance contracts three monthly in advance instead of annually in advance: this represents good practice.

Training

4.8 HM Inspector found no evidence of any policing organisation in Scotland having developed a specific IT training strategy. However, there were many examples of forces thinking through their approach to IT training well, even in the absence of such a strategy. Most forces and policing organisations had purpose built IT training classrooms and the quality of equipment and training staff was of a generally high standard.

4.9 Users’ criticisms of training stemmed from local difficulties rather than national problems. Most of these difficulties (for example training being delivered too early) might have been overcome had it been considered at an early stage in the project planning process. The absence, in many forces, of project technical plans often made it difficult to assess whether training and policy issues of this kind are taken into account during the planning of projects. Evidence suggested that these forces paid a penalty because computer systems were not used in a standard way throughout the force.

4.10 In many forces, IT training simply taught users the basic operation of the system, because policy documents and operating rules for the systems did not exist. This is contrary to ACPOS policy that, particularly where systems access the Police National Computer (PNC), operating rules are to be created to guide staff in how to use the systems. The absence of such policy and rules cause difficulty for IT training staff.

4.11 There were however, several examples of quality policy documents and operating rules for operational applications having been utilised in some forces’ training programmes and this represents good practice. The development of an IT training strategy would identify the need for policies on applications use and system security to be created before the delivery of training.

4.12 With the development of the SPIS programme, it will make more sense for IT training to be delivered in line with national standards (see Section 5).

System Security

4.13 Many of the computer systems used by police forces contain sensitive information which, if disclosed, could hinder the investigation of crime and put police officers or members of the public at risk. HM Inspector found that the need for IT security was widely recognised and the issue was given a high priority. Nevertheless, HM Inspector was concerned that forces had not developed adequate security policies.

4.14 Few forces have an IT security policy. Few staff interviewed during the inspection were familiar with the principles of security risk assessment. There were few examples of staff whose responsibility it was to assess risk or create policy to guide both technical staff in the development of computer systems or operational staff in their use. As part of the review of their IS/IT strategies, forces should draw up statements on the security risk and how it is to be countered. HM Inspector found many example of IT security booklets, distributed to all staff, which provided useful guidance. But they were not a substitute for an IT security policy. For example, none give guidance to technical staff on the security standards to be applied in the development of computer systems.

4.15 HM Inspector was also concerned that there was little evidence of comprehensive "disaster recovery plans" - setting out what would happen if key computer systems failed. Where plans did exist, few had been rigorously tested or reviewed in the light of new technological developments. There were also examples of inadequacies in virus control software and of asset registers which did not comprehensively record the hardware and software in the organisation.

4.16 Of particular current concern to HM Inspector was the fact that, at the time of the inspection, not all forces and other organisations had completed their consideration of the likely impact of the new millennium. Because many computer systems record only the last two digits of the year, they may fail or malfunction around the start of the year 2000. Forces were in the process of considering the effect of this problem on each of their computer systems (and other technological applications such as computer chips in vehicles and lifts). That work needs to be completed urgently, and any necessary corrective action taken energetically, so that systems do not fail at the turn of the millennium.

.