PDF: Operational Plan For 2023 | Operational Plan For 2022

THE ICTD VISION | MISSION

By 2030, General Santos will achieve a data-driven, smart city local government utilizing e-government frameworks and maximizing the full capacity of data science tools towards its total digital transformation.

ICTD COMMITS TO:

  1. Support the LGU offices and the 26 barangays in the troubleshooting, repairs and maintenance of computer hardware and software
  2. Establish the fiber-optic connectivity of local government offices and the city’s 26 barangays for accessibility to e-government services.
  3. Committed to provide a citizen-centric ICT services to our stakeholders in collaboration with the LGU departments in implementing the eight e-government frameworks:
G2C
G2B
G2G
G2P
D2G
G2W
G2E
G2I
Government to Customer
Government to Business
Government to GovernmentDigitizing Government to People PaymentData to GovernmentGovernment to World
Government To Employees
Government To Internal Systems

THE ICTD VALUE PROPOSITION

Computer hardware and support servicing, system development and web and mobile app development are done in-house with help desk support available on weekdays from 7:30 AM to 6:00 PM. Additional features, new report formatting or creation, or database revisions can be done within the ICTD office as all developers are employees of the local government. The two main services are the Computer Hardware and Software  Servicing (CHSS) and Software Development and Web|Mobile App Development (SW).

THE STRATEGY

Revisit its ICT infrastructure/infostructure by establishing and strengthening its four components, namely: hardware, software, peopleware, and dataware. Initially, there is a need to go back to basics from assessment and inventory of the components to establish a baseline data. In the planning stage, it is a must to review the Philippines E-Government Masterplan to anchor the thrusts of the city to the national ICT plans. Once the hardware and network considered as the infrastructure backbone of ICT are set in place, another layer of foundation needs to be strengthened. The ICT “infostructure” will cater to the digital applications, systems, and services to enhance interoperability within local and across national governments, and with the citizens who need to access the e-government services through the official website of the city. Then start the implementation process followed by evaluation of the strategy.

The idea of ICT “Infostructure” is an integration of e-government services where each department’s services are aligned with the e-gov classification frameworks. The integration addresses the interoperability or information exchange between and among government agencies. The classification aligns the type of service delivered to the proponents, to wit:

G2C. Customer Empowerment recognizes ICT solutions in public education and engagement and in the use of electronic facilities and channels aimed at providing improved, timely and relevant delivery of public services.

G2B. Business Empowerment acknowledges LGUs’ initiatives to improve their responsiveness to the needs of business enterprises.

G2G . Government Interoperability which promotes efforts to connect data and systems with other government offices, both national and local, for the convenience of their constituents and to improve their public service delivery.

G2P. Digital Finance Empowerment  which endeavors to promote e-commerce or e-payment facilities and systems aimed at ensuring effective revenue generation and collection, improving overall financial management, and providing convenience to the public.

D2G. Data-Driven Governance which exemplifies good governance through fair and responsible processing of data.

G2W. Systems for Global Competitiveness which develops world class systems in using ICT.

G2E. Empower Government Employees which deliver productivity gains that improve impact and enhances the  capacity  and capability  of government workforce to improve the internal efficiency and public service delivery.

G2I. The efforts of an LGU in developing or improving its internal systems and adhering to various recognized standards, to be able to provide better service to its internal customers.

CHALLENGES VS. OUTCOME
The maximized Uses of ICT as engine can move GSC towards the direction of a wholesome, sustainable, economic growth and development. On one hand, the strategy may bring opportunities to the public and the government. This can promote transparency and accountability that can minimize corruption. Efficiency can be improved through faster processing time and eliminating repetitive data entries. This can bring cost reduction or less manpower requirements to both the public and the government. Eventually, it can increase the people’s trust in the government. But against this positive outcome, challenges go with it. These challenges can become the baseline data in the process of achieving the plan. The common challenge is the support of management in terms of budgetary requirements.

THE PLAN

Next is the policy issues of the office with emphasis on the process flows or the standard operating procedure that are not clear. Another is the privacy and security issues in compliance with the Data Privacy Act of 2012. Another is the digital divide across the ages, social and economic status, and educational attainment. Finally, the ICT infrastructure and info structure are the two most critical challenges.

These are needed to retool the city’s digital transformation in general. The following are the top-level plans to provide solutions to these challenges.

A.1. HARDWARE INFRASTRUCTURE PLAN

  1. Re-establish an inventory of existing computer hardware
  2. Set the “up time” of all functional computers to get the number of hours usage
  3. List all actual output activities of the computer (data entries + printing + etc)
  4. Compute for the difference of “uptime” vs. the output activity
  5. Determine if a department has over or under usage of computers
  6. Justify the need to acquire the following:
    -Desktop, Laptop, and Tablet Computers
    -Touch-Screen Monitors
    -TV Screens or Monitors
    -Deskjet, Laser, Point-of-Sale, Card Printers | Plotters
    -Bar, QR Code Reader / Scanner
    -High-lumens Projectors
    -Digital Signature Pads
    -RFID System (Microcontroller, Generator, Receiver/Detector)
    -GPRS SIM Module
    -Network-attached storage (NAS)

B.1. NETWORK INFRASTRUCTURE PLAN

  1. Re-establish an inventory of an existing local area, wireless, and intra network. Include the 26 barangays network accessibility as part of the LGP CARES platform of governance.
  2. Re-plan the topology, network address assignment for enterprise domain, subnetting or VLAN.
  3. Re-establish the active directory security.
  4. Acquire the following if applicable.
    -MDF | IDF | Server Computer
    -UTP Cables | RJ-45 Connectors | Testers
    -Switch Hubs | UTM Devices

C.1 INTERNET INFRASTRUCTURE PLAN

  1. Collate all department’s internet subscription plans.
  2. Compare the total individual expense versus dedicated subscription.
  3. Create a cost-benefit analysis on per department versus dedicated connection.
  4. Consider acquiring a dedicated internet line to each of the internet service providers
  5. If CBA is favorable, discontinue the individual subscriptions if dedicated connections are reasonable and distribute connections to departments.
  6. Establish Voice Over IP (VOIP) of the LGU stakeholders as an alternative to the current use of telephones.
  7.  Propose a policy for internet usage.

D. ICT “INFOSTRUCTURE” PLAN

D.1 Website Management Plan

  1. Restructure the Official Website of General Santos City under the domain at https://gensantos.gov.ph
  2. Include all the departments, City Mayor’s Office Divisions, and special bodies and programs by creating their individual sub-domains but using one generic theme to standardize the look and feel.
  3. Integrate the e-government services through web or mobile app using the website and bearing the .gov.ph locator to improve the constituent’s trust to the government.
  4. Assign and train the department’s representatives as wp-admin to manage their individual websites.
  5. Involve the departments to provide web contents for their pages or posts.
  6. Adopt existing guidelines related to website management, to wit:
    -AO No. 39 s. 2013. Gov Web Hosting Service
    -Philippine Uniform Website Content Policy7.Propose to institutionalize the website through ordinance or executive order and adopting gensantos.gov.ph as the official domain.

D.2 System Development Plan

  1. Conduct an inventory of all application systems either for computer or web application systems.
  2. After the system audit and/or inventory is completed, the next critical step is to identify what system to be developed for web or for mobile app development. Identify these systems if in-house developed or outsource then identify supplier, retrieve contract agreement or TOR.
  1. After completing D.2.1, group departments with similar needs to develop or adopt existing system, common to those departments
  2. To fast-track development, collaborate with the academe to send their BSIT, BSCS, or other IT-related students undergo their on-the-job training programs to LGU GSC.
  3. CMO-ICTD to spearhead the system development using rapid development toolkits without jeopardizing the system development life cycle or SDLC processes.
  4. Align the e-gov framework with the city’s four clusters: bankability, livability, competitiveness, and good governance

D.3 Web| Mobile Application Dev. Plan

  1. The plan is generally the same with the system development.
  2. Generally, all inquiry systems may be developed and deployed through web/mobile app.
  3. All transactions or data entry in a day to day operation will be handled through the computer system development.
  4. Interface programs, ETL/ELT pipeline software, or other forms of file transfer across multiple platforms and operating systems will be adopted to clean and migrate the data.
  5. Adopt the 2021 Top Ten security vulnerabilities the Open Web Application Security Project to improve software security and convert as an internal control mechanism.
  6. Eventually, adopt the ISO 97001 or the Information Security Management System (ISMS).

E. Peopleware Development Plan

-Quality Assurance Tester
-Network Specialist/Engineer
-IT Help Desk Technician
-User Experience Designer
-IT Security Specialist
-IT Project Manager
-Project Manager
-Systems Analyst
-Database Administrator
-Computer Programmer
-Web Developer
-Data Scientist/Engineer
  1. Conduct skills inventory of all CT practitioners across the organization
  2. To provide long-term tech support for in-house development, there is a need to hire practitioners aligned with the following skillsets and functions:

-Project Manager
-Systems Analyst
-Database Administrator
-Computer Programmer
-Web Developer
-Data Scientist/Engineer
-Quality Assurance Tester
-Network Specialist/Engineer
-IT Help Desk Technician
-User Experience Designer
-IT Security Specialist
-IT Project Manager

  1. Invite IT/ICT students from all colleges and universities in the city to undergo their on-the-job training requirements at CMO-ICTD
  2. Involve   new technologies through massive open online courses (MOOCs) that are free or through application to avail the free courses related to the need.

For Government To Employees (G2E)

Adopt this component to empower the employee and to deliver productivity gains that improve impact and enhance the capacity and capability of government workforce for efficiency of public service delivery.

1. Assess the employee’s skillsets.

2. Engage employees to subscribe, attend, and complete free online e-learnings sponsored by government agencies like DICT, DAP, SPARTA, CourseBank, TESDA, or international organizations like Coursera, UN, UN-PAN, UNICEF, UNESCO, WHO, ADB, etc., if applicable to position.

3. Require other employees to complete a face to face hands-on training workshop if cannot attend to online classes.

4. Require employees to create professional e-profile using WordPress, Google, Wix, etc. to showcase their accomplishment.

5.Link employee’s e-profile to their department’s organizational chart in their own assigned web portal or sub-domain.

6. Re-asses the readiness skillsets. If applicable, LGU-GSC through CMO-ICTD can create its own online and hands on training programs to support the G2E efforts and to apply the trainings attended to attain self-improvement, help others, and to narrow down the digital divide.

F. Dataware Development Plan

1. Propose to create a Data Privacy Task Force to implement the Data Privacy Act of 2012 in comparison with Executive Order No. 02 or the EO on Freedom of Information (FOI) for open government.

2. Adopt the D2G framework, the Data-Driven Governance to exemplify good governance through fair and responsible processing of data.

3. Acquire knowledge in any short-term e-learning courses to support the perspective of a data-driven governance towards digital transformation.

4. If data is available, assess the scope of data collected by the departments.

5. Identify the sources, storage and retrieval methods of data collected.

6. Departments to identify and forecast the reports needed by LGU, NGA,
and researchers.

7. Adopt any extract-transform-load (ETL) software to cleanse and migrate
the data.

8. Utilize the department’s Google Drive to store the cleansed data.

9. Acquire any non-programming data visualization and electronic dashboarding tools like Google Data Studio or Microsoft Power BI to showcase the e-dashboarding to the consumers.

10. If data is not available, mobilize the academic researchers to gather data.

G. Information System Acceptance Policy

All information systems request will generally be accepted subject to the following CMO-ICTD policy:
1. Requestors will write a request letter to the City Mayor, or Executive Assistant for IT, or to the Division Chief of CMO-ICTD.

2. The CMO-ICTD chief will confirm the request by responding through a letter to set a meeting with the requestor.

3. If the request letter is done after the first or second half deadline of OPCR target submission, the request will be scheduled next rating period subject to availability of SDLC team members.

4. However, if a request is required by the City Mayor’s Office, it will be prioritized but subject to availability of SDLC team members.

5. If the information system requested is new, the CMO-ICTD will discuss the System Development Life Cycle’s phases namely:

5.1. Pre-Assessment Phase
This is where the agreement between the requestor and CMO-ICTD will take place. Roles, functions, and responsibilities of both parties are discussed to level off the shared responsibility. If the requestor conforms with the terms and condition of CMO-ICTD, the requestor will sign the agreement form to start the project officially and proceed to the next phase.

5.2. Assessment Phase
Checking of the hardware, software, peopleware, and dataware components of computerization takes place in this phase. If computer hardware and network are lacking, the Computer Hardware and Software Servicing team will assess and prioritize the needs, and will estimate the components that will be needed. Availability of IT human resources of the requesting party and CMOICTD will be established. The cycle continues subject to the availability of resources. Data analytics, data visualization, or reports desired by the requestor will also be included in this phase.
5.3. Systems Analysis and Design Phase
The CMO-ICTD will create the process map, database structure, tables, queries, data dictionaries, data flow diagram, entity relation diagram. The requesting party will provide the manual process flow charts, all report formats, and complete processes.
3.4 Programming Phase
The CMO-ICTD will write the programming codes. Every completed data entry or report generation will be installed right away and tested by the ICTD’s QA Testers. If errors are detected, the testers will document the findings and require the team to apply the changes. Another round of checking will be conducted before
installing the data entry or report to the requesting department units. At this point, all users are obliged to operate and test the data entry to check if there are bugs for correction. The CMO-ICTD circulating programmer will check the users and list all errors that are still occurring. If new features are added during the course of checking, the circulating programmer will report and discuss the matter to the division chief, systems analysis, and programmers about the new features requested. Targets in the timeline will be adjusted. Within the programming phase, the implementation phase is actually carried out piece by piece to test the system for bugs. Programming and testing cycle out every time data entry is completed.
5.5. Implementation Phase
This is the ribbon-cutting, red-carpet formality phase where ICTD with the executive turns the developed system to the end-users.
5.6 Evaluation Phase
In this stage, there are three major activities that the ICTD will take:
(a) Conduct the OWASP 2021 for vulnerability testing
(b) Audit the system using the QA Testing Policy for continuous
integration, continuous deployment
(c) Turn-over the code to the division chief using the IS Turn-over
Policy
5.7 Replication Phase
In the event other departments will request for the same system, CMO-ICTD will replicate the same to another requesting department. If an LGU from another city or municipality intends to request for the system, a memorandum of agreement will be made for LGU-GSC to replicate the system to another LGU free of charge.
4. If the information system requested is existing and ready for use, the CMO-ICTD will discuss the System Development Life Cycle’s phases except the System Analysis and Design and Programming Phases since there is no
need to redo major processes.
5. If there are major revisions like additional information that do not exist in the current table or databases and involve five or more new and additional steps in the main process, the project will cycle to the assessment phase until evaluation phase.

H. Information System Turn-Over Policy

A. CMO-ICTD In-House Developers
CMO-ICTD developers will turn-over their codes in the evaluation phase of
the SDLC.

1. CMO-ICTD will give access to the Google Drive where codes per system will be dumped.
2. If the developer will resign or retire, he will inform the office that all codes of the system are all present in the Google Drive’s specific folder of the system developed or assigned.
3. CMO-ICTD will verify the completeness of the codes before giving clearance to the employee.
B. Other LGU-GSC Developers

Regular, job order, casual, contract of service employees from other departments of the LGU-GSC are required to turn-over their programming codes in the following events:

1. Before implementation
2. During resignation or retirement
3. Reassignment, transfer, or promotion to other office

 

CMO-ICTD will give access to the Google Drive where codes per system will be dumped including the following:
1. Project Management Timeline
2. Details of the Systems Development Life Cycle Per Phase
3. Flow Charts
4. Process Maps
5. Data Dictionary
6. Data Flow Diagram
7. Entity-Relation Diagram
8. Others

I. Anti-Virus Management Control Policy

OBJECTIVES:
1. Back-up files created or edited in any computer application systems like Word, Excel, PowerPoint, and etc.
2. Avoid proliferation of virus to other computers by restoring previous computer setting.

RATIONALE:
Data loss due to negligence, virus attack, cyber threats, and the like can cause operation stoppage or revenue losses creating public mistrust to the government. As part of the risk management plan in relation to continuous ISO certification, there is an urgent need to establish mechanisms to minimize the risks that may be encountered.

REQUIREMENT:
The office must ensure that the following hardware and peopleware components are on hand, to wit:
1. Local Area Network (LAN);
2. Computers;
3. Uninterruptible Power Supply; and
3. User credentials

IMPLEMENTATION POLICY
1. Offices must acquire or utilize a standard desktop computer to act as a local file server.
2. The file server must use a “Proxmox Virtual Environment” software running in Linux operating System.
3. CMO-ICTD or the department’s IT staff must install and configure the TrueNAS application on top the Proxmox Virtual Environment at the server.
4. CMO-ICTD or the department’s IT staff must install and configure the Deep Freeze software at each computer connected to the file server.
5. CMO-ICTD or the department’s IT staff must conduct a training on how to do the daily backup of files.
6. Office must set a cut-off time for backup or to store all files created or edited by the user.
7. At set time, users must run the backup procedure to store working files only like Word, Excel, PowerPoint. Videos, music, games are not allowed for storage.
8. If any file is stored that is not office-related like movies, games, and the like, the user will be warned and the files will be deleted by the CMO-ICTD or the department’s IT staff.
9. Every time a user reboots the computer, the Deep Freeze software restores the previous settings. This means that all files created or edited before reboot are deleted. Thus, it is a must to do the backup procedure regularly.
10. The user restores files from the file server to continue editing or start a new document.

J. Web Security Policy

The most accepted protocol is the ISO/IEC 27001 or the Information security management standard to manage risks related to information security. There are 114 controls set and to be adopted. Since ISO:27001 is broad in scope and expensive, CMO-ICTD opted to adopt another protocol called the Open Web Application Security Project® (OWASP) which is a collaboration among software developers and technologists around the world to secure the world wide web and similar to ISO:27001 (ISMS) in terms of protecting the online information of LGU-GSC. The top ten OWASP 2021 vulnerabilities are the following, to wit:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

Out of these vulnerabilities, CMO-ICTD crafted a web security policy to ensure LGU-GSC web applications, system applications, and its databases are protected against malicious threats. The OWASP vulnerabilities are the software side of threats. On the hardware side, network administrators may install a network firewall and developers may install host-based firewall if applicable. Unified threat management (UTM) or other devices similar in functionalities may be installed for added security. On the peopleware side, we will require all developers to undergo cybersecurity trainings through free massive open online courses (MOOCS). These trainings can be accessed FREE OF CHARGE under DICT-Coursera or DICT-SPARTA partnerships. These measures do not guarantee full protection as ill-intent technologists or IT/ICT [mal]practitioners are roaming the internet to launch an attack to test their prowess, challenge other hackers, or simply do it for no purpose at all. It is better to prepare than do nothing at all.

Vulnerability VS Control

1. User Accessibility Level. (Control)
Web developers assigned to a specific app must ensure a user-access level is
created where roles are defined during creation or registration of a new
account. Only authorized users can access the app or system.
Example:
Level 0 - Admin. Can add, update, delete, view, print, etc
Level 1 - User 1 Can add, update, print etc
Level 2 - User 2 Can add, update only etc

Vulnerability 1: Broken Access Control

BACKGROUND: 1. Broken Access Control occurs when confidential information is viewed by a user who should not have permission to access that data. It also occurs when a user is able to act beyond the permissions of their role. Thus, the confidentiality, integrity, and availability is breached.
2. Encryption.
Developers must encrypt passwords in inserting to database tables and decrypting during retrieval processes. Include critical information to be encrypted. Adopt the Advanced Encryption Standard (AES) algorithm or any available HASH algorithm. Developers must ensure that the domain and all sub-domains must add a certified layer of security to encrypt the connection between the web server and the web browser.

Vulnerability 2: Cryptographic Failures

BACKGROUND: 2. Cryptographic Failures. Cryptography is a method of protecting information through the use of codes. if critical or personal information is not encrypted properly, the information may be hacked at rest where threats may come from within the organization or during in-transit where information is requested over the internet.

A website needs an SSL to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. Thus, there is a critical need to have an SSL certificate to assure the public that the protocol bears HTTPS:// to assure the public that the local
government site is secured.

3. Validation Rules.
Always validate, validate, and validate. All data entries need to be validated before any insert or update is committed into columns or fields of the database tables.
Example:
-If the app requires a date, then validate with mm/dd/yyyy format or other formats used in the Philippines.
-If it requires a number then validate it as integer, decimal, float or others.

Vulnerability 3: Injection

BACKGROUND: 3. Injection happens when an application accepts data as input and processes it as an instruction rather than just as data. Its effect may include deletion of data from databases or worst case, formatting of hard disk drives.

4. “DRIFT” the errors away. (Do it right the first time. Do it right all the time.) Developers must address the problem right away when exception errors occur at test time. This is to prevent users or attackers from reading the error
message as it may contain information that can be used to stage an attack to the root directory and databases. All errors must be fixed before code is published for production.
BACKGROUND: 4. Insecure Design is a broad category representing different weaknesses, expressed as missing or ineffective control design.

5. Periodic Password Update.
Developers must require users to change their default password. Users must create a strong password by using a third-party app to generate a strong password. Change the password periodically. Do not use your birth dates, initials of your names, or names of your loved ones.
BACKGROUND: 5. Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk. The application might be vulnerable if it is without a concerted, repeatable application security configuration process.

6. Firmware | Software Update
Install software updates of components and deploy patches across all departments using the web app when new versions are available after all users have logged out. Ideally after office hours or during Saturdays or Sundays.
BACKGROUND: 6. Vulnerable and Outdated Components. If the software is vulnerable, unsupported, or out of date including the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

7. Authentication Process
Developers must create a two-factor authentication process during user’s registration of new accounts. Developers must provide a ‘Forgot my password’ feature. Must include ask for code through SMS (text messaging) Verify if code is correct then allow access to change password Users must not forget to log out their account after using a system or app. Developers must also close each session opened by a user when errors occur in the program.

BACKGROUND: 7. Identification and Authentication Failures are vulnerabilities related to applications' authentication schemes. Such failures can lead to serious and damaging data breaches.

8. If not sure, DISCARD.
If not sure, developers must not install plug-ins or widgets, and refrain from using libraries that are not tested against threats. This vulnerability affects the quality and security of the finished product. As much as possible, purchase a legit plugin or widget and register to use a library.
BACKGROUND: 8. Software and Data Integrity Failures are related to code and infrastructure that does not protect against integrity violations. Malicious attackers may take advantage of software updates or free plugins
to install malwares.

9. Audit Trails
Developers must create an audit trail of user’s activity from login to logout including the geographic location of users that must be identified by the app. If a suspected threat is detected like passwords do not match, or number of tries exceeds, or unusual access is detected, developers must email or autotext the user and the developer that an account is being used maliciously, and eventually stop the transaction to protect the data, system, or app.
BACKGROUND: 9. Security Logging and Monitoring Failures are frequently a factor in major security incidents.

10. IP Address Authentication
Developers must set only allowed or not-allowed lists of IP addresses or hostnames to access the server. Authentication of users, IP addresses, or hostnames must be enforced during system or web app development and deployment.
BACKGROUND: 10. Server-Side Request Forgery is a vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The forgery allows an attacker to force the application to send a crafted request to an unexpected destination.

Considerations:
The OWASP vulnerabilities are the software side of threats. On the hardware side, network administrators may install a network firewall and developers may install host-based firewall if applicable. Unified threat management (UTM) or other devices similar in functionalities may be installed for added security. On the peopleware side, we will require all developers to undergo cybersecurity trainings through free massive open online courses (MOOCS). These trainings can be accessed FREE OF CHARGE under DICT-Coursera or DICT-SPARTA partnerships.

K. Succession Policy

If an employee from CMO-ICTD may be affected by any of the following situations: separation; termination; resignation; retirement; reassignment; detail; transfer; secondment; reclassification; promotion; or demotion, the CMO-ICTD will perform the following plan of action:

1. Retrieve the employee’s current IPCR
2. Classify the success indicators that can be delegated
a. The rule of thumb in the delegation of doable is anything that is a routinary can be delegated. In the SDLC, all phases can be delegated to any employee except the signing for approval of forms by the division chief used in each phase of development.
b. The delegation of authority granted by the local chief executive to the head of office to sign or approve on behalf of the LCE cannot be re-delegated to his or her officemate or subordinate. A memorandum from the LCE is required to
perform the task of signing the approval.

3. Distribute the SI doable to the remaining employees having the same or similar skill sets with the affected employee.
4. Identify the SI doable if considered a priority project like missioncritical projects requested by the City Mayor’s Office that have direct impact to stakeholders in terms of the urgency in peace and order, financial, social, or health emergencies.
5. The preparation of eventualities include the following:

a. Continuous Participation to ICT Training (MOOCS) The CMO-ICTD requires all its employees to complete at least three courses under the massive open online course to hone their crafts in the different areas of discipline in ICT. Training courses are reflected in the IPCR per semester as evidenced by posting the course name in their e-profile.
b. Coaching and Mentoring. The division chief provides the unscheduled coaching and mentoring sessions based on actual needs or as the need arises. In ICT practice, everyday is a new day. Everyday, there is always a new problem that the practitioners encounter. Thus, small groups with the office head sit down to strategize the solution in a team spirit or esprit de corps.
c. Buddy System
According to wikipedia, “the buddy system is a procedure in which two individuals, the "buddies", operate together as a single unit so that they are able to monitor and help each other. Webster defines it as "an arrangement in which two individuals are paired.”

The buddy system is basically working together in pairs in a large group or alone. Both the individuals have to do the job. The job could be to ensure that the work is finished safely or the skill/learning is transferred effectively from one
individual to the other. In ICT practice, it is always true that “no man is an island”. At CMO-ICTD, it is a common scenario to share and discuss the problem and solution or strategies and techniques with at least a partner who performs the same computer language of developers.
d. Turn-over.
As a matter of practice under the evaluation phase of the CMO-ICTD System Development Life Cycle (SDLC) phases, the computer system developers and web or mobile app developers turn-over the codes to the division chief by uploading the said programming codes to the Google Drive under the official email account at cmoictd@ensantos.gov.ph. All components of a specific system or app have a folder storing the systems analysis and design tools like flow charts, process maps. Data dictionary, data flow diagram, entity relation diagram, quality assurance testing policy, OWASP 2021 filled out form. Letter request and other correspondence between the requestor and CMOICTD. The turn-over of codes and the documentation process performed by CMO-ICTD before, during, and after the development processes ensure the resiliency in the event there will be unexpected movement of employees.
e. ICT Collaboration Project with the Academe.
During the official start of CMO-ICTD operation as a division in 2013, the office started collaborating with the BSIT and BSCS students from the different colleges and universities of General Santos City. The students are given system development projects in a one-on-one approach to programming with the idea of independence as to the style
or technique of writing codes. The students were guided along the way based on the standards set by CMO-ICTD. In
July 2022, it restarted the on-the-job training program for IT students. In January 2023, the City Mayor approved another milestone by inviting the academe to have a collaboration with LGU in the capstone project of BSIT or BSCS students.

The output of the students are of great help to fast-track the development phases of ICTD. The opportunity to work directly with the students establish a manpower pooling of skills. ICTD can choose the best candidate if there are hiring related to their education and experience.
f. Request Resources.
If all systems fail, the CMO-ICTD needs to request for a supplemental budget from the City Mayor’s Office to fill in the gap. In-house resourcing from other offices who have IT human capital can be tapped as an alternative in filling in the gap.

L. Software Licensing Policy

All computers purchased by LGU-GSC since 2013 are packaged with a licensed Windows operating system. However, the commonly used MS Office Suite including Word, Excel, and Powerpoint are not licensed. Thus, the CMOICTD will appropriate an incremental amount in the annual budget charged to software licenses used by departments in line with their operation to start the compliance.
1. ICTD reviews the department’s inventory of computers and software installed in each functional computer.
2. Summarize the number of computers per department.
3. Identify and count the software installed per computer.
4. For the first year (2023), start to purchase 50 sets of MS Office Licenses for the 26 departments, 9 divisions, 15 special programs and projects.
5. For the second year, include software licenses based on item number
3 and continue the purchase of 50 sets of MS Office Licenses until all computers using MS Office are licensed
6. Continue the annual procurement of licenses other than MS Office until all computers of LGU-GSC are licensed.

Note: MSOffice 2021 = P 19,000.00 Perpetual License as of February 2023

M. Preventive Maintenance Policy

Preventive Maintenance is the process of assessment, diagnoses, and rehabilitation of computers across the offices of LGU-GSC to restore the computer's ideal performance. The peopleware component of ICTD will run the diagnostic exam (software), print the result, apply standard operating procedures for restoration, re-run the diagnostic, re-print the result for comparison, and finally clean the external port of the computer. Its expected result is that all computers undergo preventive maintenance to minimize repairs and lower the rate of new computer purchases.

The pre-implementation includes the following:
1. Identify departments having IT-related appointees
2. Coordinate with HRMDO for full names and positions of Item #1 (Regular/Casual)
3. Coordinate with Departments or CMO for full names and positions of Item #1 (JO/Casual)
4. Secure an official memo from LCE to involve ALL IT-related positions listed above to conduct their own respective inventory and DO the actions required by the ISO consultants
5. If a department has no IT appointee, ICTD will perform the following tasks
6. Identify LGU buildings, its location, number of floors and rooms
7. Count number of PC per room, floor, building
8. Record the details based on PMP provided by the consultants
9. Schedule the actual implementation on a week-to-week basis

The implementation includes the following:
1. Perform necessary preventive measures as listed
2. Document all steps using JO Forms
3. Retrieve property records at CGSO to link the PMP form to the property system using PIN

Preventive Maintenance Procedure
1. Run chkdsk at C:\
2. Boot to Windows
3. Run the Burnintest Software and print report
4. Shutdown the computer
5. Boot to Windows
6. Delete *.tmp, prefetch, and %temp% files
7. Run defrag
8. Run the Advanced SystemCare Software
9. Boot to DOS
10. Run chkdsk
11. Boot to Windows
12. Run the Burnintest Software and print report
13. Compare report of Item #3 and 12

N. Database Backup Policy

Database backup is the process of storing information that went through data entry using specific systems either in-house developed or developed by third-party suppliers. Data is considered as the new fuel of the economy as
technology evolves faster so as data are collected with high volume in a socalled data explosion phenomenon. Thus, backup of these collected data need to be safe and secure. CMO-ICTD encourages all offices running a system with database backend to follow the following backup level policy:

LEVEL 1: The Grandfather-Father-Son (GFS) Backup Policy
LEVEL 2: The NAS Backup.
All system databases or data files used by departments or offices need to procure a network-attached storage device for backup purposes to ensure efficient retrieval.
LEVEL 3: Decentralized Backup
All system databases or data files used by departments or offices with servers may agree to use the servers to backup other office’s databases or data files.
LEVEL 4: Off grid-Powered Backup
All system databases or data files used by departments or offices need to establish another location or outside the main room or building that houses the database and with a separate power supply that is detached from the main office to ensure backup of data.
LEVEL 5: Cloud Storage Backup
All files need to be stored in a cloud computing account in either of the following platforms:
(a). IaaS – Infrastructure as a Service
(b). PaaS – Platform as a Service
(c). SaaS – Software as a Service

LEVEL 1: The Grandfather-Father-Son (GFS) Backup Policy:
1. Print the Monthly GFS Backup Calendar every first Monday of the month. Please see Annex
2. Every Monday to Thursday, at 4:30 PM. ‘R’ performs the backup protocol 2. ‘R’ signs the calendar day when the backup is completed.
3. ‘A’ signs the calendar day when ‘R’ completed the backup.
4. Every Friday, at 4:30 PM ‘R’ runs the backup protocol
5. Repeat steps 2 & 3 for the following week.
6. ‘R’ copies the ‘Father’ backup to external device(s).
7. ‘R’ turn-overs the Father’ backup to ‘A’ for safekeeping.
8. Steps 1-7 are repeated in the following weeks.
9. Every last Friday, at 4:30 PM ‘R’ runs the ‘Grandfather’ backup
protocol
10. Repeat steps 2-3, 6-7 for the ‘Grandfather’ scheme

O. Data Center and Server Room Management Policy

The approval of City Ordinance No. 14 Series of 2012 creating the Information and Communications Technology Division under the Office of the City Mayor of the city government of General Santos paved the way for the establishment of the city’s server room and the data center.

Background

In 2013, upon the assumption to office of the eight CMO-ICTD regular employees, one of the priority projects was to build the foundation of the city’s network infrastructure. A comprehensive plan for the network infrastructure backbone started based on the approved budget of PhP 33 Million. Sometime in the last quarter of 2013, a purchase request to acquire a high-speed fiber-optic line was materialized. The design was conceptualized by Leonard Pe – IT Officer 1 with the challenge to interconnect offices within the City Hall building and external offices located around one to three kilometers apart like the GSC Hospital and the City Health Office. The City Terminal, Public Market, CGSO/OBO and CEO are outside the City Hall Compound posing another interconnectivity challenge that time.
In the first quarter of 2014, the request was awarded to a local network provider. Actual cabling, setup, installation, and configuration were completed in the 2nd quarter of 2014 with the different offices interconnected as planned. Success Indicator (SI) is to target 100% or 5 offices interconnected to theFiber Optic Network Backbone Infrastructure not later than June 30, 2014 with CASSO, LCR, CPDO, CTO, CAGRO
interconnections. Simultaneously the local area network (LAN) plan was completed. Offices with available funds started procuring their basic IT equipment for LAN installation like network switches, connectors, and UTP cable through the recommendation of the ICTD Computer Hardware and Software Support Services. After assessment, hardware recommendation for PR or for budgeting purposes is prepared by the CHSS and forwarded to the AO or department head. From January to June 2014, the following offices requested ICTD for their local network connectivity. The Network Support of ICTD is continuously being implemented as approved under the Executive Legislative Agenda 2014-2016. Various factors paving the way for the successful implementation
includes the following resources:
1. Approved Appropriations
2. Human Capital – as ICTD is an institutionalized office through City Ordinance 14 Series 2012. Talents and Skills are homegrown – Gensan being tagged as the Home of the Champions and Well-Spring of Winners.
3. Technological Advancement
4. Work Process Standardization

O. Data Center and Server Room Management Policy

Legal Basis

Based on City Ordinance No. 14 Series of 2012, one of the functions, duties, and responsibilities of CMO-ICTD is to “secure maintenance of servers and data centers” under Section 3 Item No.4 and to “manage connected users and computers to the servers, internet, database and application systems” under Section 3 Item No.5.

Objectives

1. Establish a standard policy
2. Replicate and require the policy to be adopted by other offices operating their own servers
3. Maximize the city’s resources by providing a 24/7 uptime accessibility to end users
4. Identify threats and establish control mechanisms to limit the risks as threats to all information or web application systems.

Rationale

As the city’s population continuously grow, the delivery of public service and the number of front-end users of systems or apps increase proportionally with the population growth rate. When there are more users, IT equipment, and transactions are involved, there is a critical need to manage the servers securely to achieve better and faster services limited to lesser or zero downtime, thus, the CMO-ICTD need to establish the plan and policy for implementation across the offices of LGU General Santos City.

Policy Matrix

The policy is presented in a matrix format below with rationale per description.

A. Room Requirement

DESCRIPTION                          RATIONALE
1. Glass Encasement               Promote transparency and see through the equipment even when outside the room.
2. Room Dimension                 3m x 4.5m
3. Clearance                                 At least 3ft from the glass wall
4. Thermometer                         Temperature monitoring
5. Contaminants                         Must be free from dust, moisture, direct sun light.

B. Environmental Requirement

DESCRIPTION                                                               RATIONALE

1. 24/7 Air Conditioning System                            To keep cool temperature

2. Temperature                                                                  18°c to 24°c

3. Moisture Content                                                       Humidity level is between 40 and 50%

4. Exhaust Fan                                                                    Provides proper Ventilation

C. Security Requirement

DESCRIPTION                                     RATIONALE

1. CCTV                                                      Monitor activities inside the server room.

2. Emergency Light                              Illumine the area or to capture subjects on CCTV during power outages.

3. Electronic Lock                                 Provide security and access to two authorized personnel only.

4. Fire Extinguisher                             Fire control

5. Access Authorization                    Authorized persons can access the data center .

6. Power Backup                                    Provide temporary power when main power source is off.

7. Approval for
installation/removal/                           Approval from the head when conducting hardware maintenance.

replacement of
equipment

8. Fire Alarm                                             Alarm when fire/smoke is detected .

9. Firewall                                                  Provide network security from cyber threats.

10. Data Backup                                     To prevent data loss and provide data recovery.

D. Other Restrictions

DESCRIPTION                                        RATIONALE

1. Food and Drinks                                  To avoid damage to equipments and maintain cleanliness

2. Unauthorized Persons                     Avoid unnecessary access to the equipments that cause data loss.

3. Water Containers                               To avoid electrical shortage when liquid spilled over to the machines

4. Office Supplies                                      To maintain space and clearances.

P. Web Hosting Policy

Web hosting is an online service that makes the content of a website accessible on the internet for public consumption. It is similar to renting a house for a fee. The bigger the house, the more expensive the rent will be. The more amenities the house has, the more expensive the rent will be. Thus, there is a budgetary requirement in renting the space on a monthly or yearly basis.
CMO-ICTD must renew the annual subscription to avoid disconnection of eservices for the internal stakeholders or those users of computer application systems, web, or mobile app users, and other users doing the backup of files or databases.
CMO-ICTD must use cmo-ictd.gov.ph as the official email address to communicate with the web hosting provider for transparency and succession purposes in the event there will be changes in the staffing of CMO-ICTD as affected by change of administration, reassignment, retirement, resignation of employee appointed to keep the email account of the web hosting company.
By default, the CMO-ICTD’s Computer Hardware and Software Servicing Section will be tasked to manage the cpanel and ftp and perform the following tasks:
-Create subdomain names of all departments, divisions, and special programs of the local chief executive.
-Install SSL certificates to all subdomain names and the main domain for security purposes and boasts stakeholder’s confidence in browsing the website.
-Once a notification is sent for SSL expiry, inform the CMO-ICTD chief about the renewal process.

-Request to create a new subdomain must be coursed through a formal letter addressed to the CMO-ICTD chief before the CHSS section grants the subdomain creation.

CMO-ICTD will turn-over the username and password of the cpnael if a department, division, or special program opts to manage their own cpanel and/or website.

In case of FTP request, the policy for cpanel will be applied.

CONTENT MANAGEMENT
Role of CMO-ICTD

-CMO-ICTD will be the one to establish the websites of all departments using WordPress and adopt a default theme to be used for uniformity.

-If the department, division, or special program opts to use another
WordPress theme, they can do so however they will be the one to configure
the new theme.

-By default, it is the responsibility of the department, division, or special
program to write, edit, post their own article in their individual website.

-Department, division, or special program may request the CMO-ICTD for a one-on-one hands-on tutorial on how to create or upload a post subject to the peopleware availability of the division.

-Department, division, or special program may request the CMO-ICTD to update, rearrange, remove any feature in the menu or navigation bar of their individual website.

-CMO-ICTD will give admin, editor, contributor rights to the department, division, or special program Role of department, division, or special program.

Q. Policy for External Providers of ICT Products or Services

All offices with IT-related service or product for acquisition through one-time payment or subscription may invite the the CMO-ICTD for reference or advice and who will perform the following tasks:
1. Assess the service or product in terms of its hardware, software, peopleware, and dataware requirement.
2. Assess the scope, quality, timeliness, and cost of the service or product.
3. Evaluate by providing decision if favorable or not to LGU-GSC
4. Recommend to the chief executive other aspect(s) not covered in the evaluation.

The proponent may furnish to CMO-ICTD the following documents:
1. Terms of Reference
2. Implementing Rules and Regulations
3. PO or Contract, if any

R. Cloud Backup Request Policy

1. Offices may request the CMO-ICTD for their cloud backup of their files subject to availability of web space of the current web hosting of LGU-GSC at web.com.ph.
2. Offices will fill out the request form by listing the number of files in the following category with estimated number of bytes of web space:

CATEGORY                                 NO. OF FILES                        NO. OF BYTES                   REMARKS
1. MS Office Files

2. Multimedia Files

3. Database Files

4. Others

3. CMO-ICTD will provide the necessary disk space based on items listed above.
4. CMO-ICTD will monitor the shrinkage or swelling of disk capacity for adjustment.
5. CMO-ICTD will include the cloud backup in the annual budget if there will be noticeable increase in capacity.