Resources likely to be of interest or use to IT auditors 

Updated: Tuesday, 05 June 2007

Publications: Public Organisations




European Union




New Zealand


United Kingdom

United States of America


The Australian Government Gateway




Comprehensive guidance and fact sheets on many aspects of the procurement and management of information and communications technology from the Department of Commerce (Office of Information and Communications Technology), Government of New South Wales.

Pretty much everything is covered including case studies.

The National Office for the Information Economy

The National Office for the Information Economy is Australia's leading Commonwealth agency for information economy issues. It was established in September 1997. 

NOIE's aim is to help Australians create a world-class online economy and society through its work developing, overseeing, and coordinating Commonwealth Government policy on electronic commerce, online services and the Internet.

The site's a mine of information on e-Business issues (see "better practice checklists" below).

NOIE - Better Practice Checklists

This area of the NOIE site contains a number of checklists that have been created to help web managers, business unit owners, and others quickly enhance their understanding of a range of issues associated with the provision of services online.  The checklists are short documents which provide information in a simple, non-technical manner.

NOIE - Confidence, Trust and Security


Confidence, trust and security are powerful online enablers. The Commonwealth is working to help protect consumers and build public confidence in online transactions.

National Archives of Australia

The National Archives promotes good government recordkeeping and encourages community awareness and use of valuable Commonwealth records in its care. This page provides an alphabetical listing of publications related to good record-keeping that are available for downloading.

NOIE - Online authentication: a guide for government managers. (.pdf 1.4MB)

This guide provides agencies with advice on some of the implementation issues to consider when using authentication in their online services.

Victoria - eGovernment Resource Centre

The Victorian Government's repository of eGovernment resources, including plenty of eGovernment case studies and research papers.

Western Australia - Department of Industry and Resources

E-commerce guides, case studies and advice on designing a Website.


The Canadian Government Gateway

The Treasury Board of Canada - Chief Information Officer Branch



Communications Security Establishment

The Communications Security Establishment is mandated to:

  • acquire and provide foreign signals intelligence;

  • provide advice, guidance and services to help ensure the protection of Government of Canada electronic information and information infrastructures; and

  • provide technical and operational assistance to federal law enforcement and security agencies.

Includes the Canadian Common Evaluation Criteria and white paper on P.K.I.

Government of Canada Internet Guide

The Internet Guide supports the Government of Canada's Government On-line initiative by providing a resource to help put services and information on-line. "Common Look & Feel Standards for the Internet".

The Enhanced Management Framework

.....for Information Management and Information Technology (IM/IT), EMF is an integrated management model comprising principles, best practices, methodologies, tools and templates, designed to improve the Canadian Governments capability to manage its IM/IT investments, successfully deliver IM/IT projects, and minimize risks.

Information Management Resource Centre

The Information Management Resource Centre is a portal to Government of Canada, Canadian and international information management activities and resources.

The Framework for the Management of Information (FMI) provides federal departments and agencies with complete, coherent and integrated guidance on managing information. And if you're unsure what "metadata" is, this page contains chapter and verse on the subject, including the international perspective.

European Union

The European Union On-Line



E.U. Official Documents

Basic information about the European Union and links to more detailed information.

European Interoperability Framework

(.doc, 1.7MB) January 2004

Defines a set of recommendations and guidelines for eGovernment services so that public administrations, enterprises and citizens can interact across borders, in a pan-European context.

Information Society

The information society, by its very nature, cuts across traditional boundaries. This website is a guide through its many and various aspects, and contains a wealth of thematic information produced mainly by the European Commission and other European Union actors.

Network and Information Security (.pdf, 205KB)

Proposal for a European Policy Approach - comment.

eEurope 2002 - "An Information Society For All" - Action Plan

The European Council held in Lisbon on 23/24 March 2000 set the ambitious objective for Europe to become the most competitive and dynamic economy in the world. It recognised an urgent need for Europe to quickly exploit the opportunities of the new economy and in particular the Internet. To achieve this, the Heads of State and Government invited the Council and the Commission to draw up "…a comprehensive eEurope Action Plan …. using an open method of co-ordination based on the benchmarking of national initiatives, combined with the Commission's recent eEurope initiative as well as its Communication ‘Strategies for jobs in the Information Society'. "

Proposal for Establishing the European Network and Information Security Agency (.pdf, 279KB)


European Network and Information Security Agency (ENISA): a centre for information security for both Member States and EU Institutions, the Agency will increase co-operation and information exchange between different stake holders in the Member States and contribute to a higher level of information security on the internal market.

Security (.htm)

As the Information Society becomes more and more important to business and society, ensuring the security of both the infrastructure itself and the information that runs through it is critical.

- eEurope 2005 Security Policies in Brief

- Implementing Security in Europe

- Electronic Signatures

- Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries


Government of India: Directory of Official Web Sites



National Informatics Centre

NIC is a premier Information Technology organization in India committed to providing state-of-the-art solutions for the IT needs of the Government of India at all levels. NIC carries the distinction of being the largest IT Organization in the Country and has set up a satellite based nationwide computer communication network called NICNET having over 1400 nodes connecting the National Capital, the State Capitals and the District Headquarters to one another. The IT services of NIC range from Consultancy, Software Design & Development, Office Automation and Networking Services to Training, Video Conferencing, CAD, EDI, Multimedia and Internet Services including Web Site Development and Hosting. NIC has a nationwide presence with its offices spread all across the Country, from Leh to Andaman & Nicobar Islands.

Interesting newsletter and articles on the operation of NICNET, one of the largest VSAT based networks of its kind. 

Department of Information Technology

Among other things the Department provides useful guidance on implementing the international standard for information security management, ISO 17799.


Cabinet Secretariat




Numerous papers describing the policies and strategies for rolling out e-Government in Japan, including:

IT Strategic Headquarters (Cabinet Secretariat)

Catalogues IT related policy and strategy documents. Also history of the Government Headquarters' IT policy.

IT Security Office (Cabinet Secretariat)

IT Security Office strive to promote the IT Security policies within departments and agencies to ensure the security and credibility of a sophisticated information and communications network based society.


Government of Malta



Malta's eGovernment services

Electronic transaction-based services are the flagship of the e-Government programme. The improved level of service and the ease of use of the applications are the fundamental elements that are found through all these services.

This provides a portal to Malta's eGovernment services.

Central Information Management Unit

The CIMU is a unit based within the Office of the Prime Minister. It was established by Government in February 1999 to:

  • Provide leadership and vision for ICT in the Public Service;

  • Promulgate policies and standards (downloadable) on the use and application of ICT in the Public Service; and....

  • Ensure compliance to such policies and standards as well as carry out value for money reviews on investment made in ICT to date.

CIMU Newsletter

New Zealand

The New Zealand Government Gateway




The Continuum programme has been designed to provide the most effective tools and services to government agencies to enable them to meet best practice recordkeeping standards. It will assist agencies to develop their own programmes to fulfil business and accountability requirements, and promote good records management so that the most significant records of government are preserved for current and future generations.

A Resource Kit containing Archives New Zealand's standards, tools and guidelines, the individual components of which can be downloaded from this site. As new publications are added to the Kit, copies for inclusion in the folder will be sent to clients.

Centre for Critical Infrastructure Protection

CCIP is a business unit within the Government Communications Security Bureau. It was established in August 2001 with a mission to provide advice and support to protect New Zealand's critical infrastructure from cyber threats. It has three main roles:

  • to provide 24 hour/7 day "watch and warn" advice to owners of critical infrastructure and to government departments,

  • to analyse and investigate cyber attacks, and

  • to work with critical infrastructure organisations and other sectors nationally and internationally to improve awareness and communications regarding information technology security.

Security Tips - A simple guide to help keep your PC secure

E-Government in New Zealand

E-government is changing the way government works. Read more about the vision and strategy for e-government in New Zealand, including eGovernment case studies.

Organisation for Economic Co-operation and Development




eGovernment publications

In 2001, the Public Management Service launched a project on e-government that explores how governments can best exploit information and communications technologies to embed good governance principles and achieve public policy goals. The key factors that distinguish this project are the focus on the longer term and the grounding work in good governance and modernisation of public administration.

Policy Brief (.pdf, 198KB)

Checklist for e-Government Leaders.

OECD Guidelines for the Security of Information Systems and networks (.pdf, 270KB) July, 2002

OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (in English & French) were adopted as a Recommendation of the OECD Council at its 1037th Session on 25 July 2002.These Guidelines respond to an ever changing security environment by promoting the development of a culture of security – that is, a focus on security in the development of information systems and networks and the adoption of new ways of thinking and behaving when using and interacting within information systems and networks.

United Kingdom

The UK Government Gateway  

Cabinet Office




The purpose of this site is to enable the UK Public Sector, Industry and other interested participants to work together to develop and agree policies and standards for e-government.

UK eGovernment Security Framework

Details the security requirements for e-government. This high-level security framework is supported by more detailed requirements for Assurance, Business Services, Confidentiality, Network Defence, Registration & Authentication, and Trust Services.

Department of Constitutional Affairs



A Toolkit for Data Sharing (.htm)

This toolkit is aimed at service providers, such as local authority and other public sector employees, who have to grapple with data sharing issues. These tools will address many of the real and perceived problems which practitioners face in this area. The toolkit is not yet complete. It will be added to over the coming months so as to ensure that it provides comprehensive, up to date, information and guidance on data sharing issues.

The toolkit includes the following sections:

- legal guidance, explaining the existing powers on the collection, use and sharing of personal data;

- protocol guidance, with recommended standards for formalising data sharing agreements;

- a protocol checklist;

- complaints procedures;

- a library with examples of existing protocols, complaints procedures, codes of practice, management guidance and privacy statements.

Department of Trade & Industry



Information Security Downloads

Bucketfuls of the wisdom on this subject.

HM Treasury



PFI: meeting the investment challenge

(.pdf, 540KB) July 2003

Following research into the performance of Private Finance Initiative (PFI) agreements,  "the government will now adopt a presumption against the use of PFI in future IT projects"....."many aspects central to IT procurement do not fit well with the central requirements of PFI".

See section 4.43.

Managing the risk of fraud (.pdf, 119Kb)

This guide does not attempt to provide a complete approach to risk management. It concentrates on the management of fraud risks which in some respects require specific types of control measures. It is the deliberate nature of fraud which make it more difficult to detect or stop. While some aspects of managing fraud risks are specific many of the controls designed to address fraud risks will have a wider application and will therefore form part of a general approach to risk management and financial management.

Guidance on the Data Protection Act and the UK’s anti-money laundering legislation

(.pdf, 28Kb)

Treasury guidance to the UK financial sector on the interaction between the Data Protection Act 1998 and the UK’s anti-money laundering legislation.

The guidance responds to concerns that the obligation not to ‘tip off’ individuals conflicts with the requirement in the Data Protection Act to disclose information held on an individual.  It offers advice to institutions on how to deal with a ‘Subject Access Request’ under the Data Protection Act. Although the guidance does not constitute legal advice, the Information Commissioner has been consulted and ‘supports the approach taken’.

The Green Book: Appraisal & Evaluation in Central Government

HM Treasury guidance to public sector bodies on how investment proposals should be appraised, before significant funds are committed – and how past and present activities should be evaluated. The Green Book aims to encourage a more thorough, long-term and analytically robust approach to appraisal and evaluation. It is relevant to all appraisals and evaluations.

Chapters 1 to 7 (pdf - 242KB)

Annexes (pdf - 229KB)         

House of Commons



Improving the Delivery of Government IT Projects

A review of UK Government IT projects and the identification of key lessons (ISBN: 00102047006 5 Jan. 2000, HC 65 1999/00).  

Law enforcement



Fraud alert

The Fraud Alert pages have been set up in conjunction with the Metropolitan Police Fraud Squad as a resource to assist in combating specific types of high value fraud. Guidance is currently offered on High Yield Investment Fraud, and West African Advance Fee Fraud. The site also hosts links to other anti fraud sites.

Serious Organised Crime Agency (SOCA)

An organisation set up to combat national and transnational serious and organised high tech crime within, or which impacts upon the United Kingdom. See Good Practice Guide for Computer based Electronic Evidence

SFO publications and speeches

The Serious Fraud Office is part of the UK criminal justice system. It
aims to investigate and prosecute serious and complex fraud and so deter fraud and maintain confidence in the probity of business and financial services in the UK. The site hosts some interesting papers on this subject containing references to computer-related fraud.

Office for Government Commerce



The Gateway Process

Procurements are any finite activity designed to deliver a government requirement and involving government expenditure.

The Gateway Process examines a procurement project at critical stages in its lifecycle to provide assurance that it can progress successfully to the next stage. It is designed to be applied to projects that procure services, including IT-enabled business change projects and procurements that utilise framework contracts.

In simple terms, a Gateway review of a procurement project is carried out at a key decision point by a team of experienced people, independent of the project team.

This page contains the documents that are necessary to support Gateway reviews.

Successful Delivery Toolkit 

The Toolkit describes proven good practice for procurement, programmes, projects, risk and service management. It brings together policy and best practice in a single point of reference.

Successful Delivery Pocketbook

The Pocketbook describes the steps that need to be taken to initiate effective programmes and projects. It  explains how to produce the information you need, uses proven best practice techniques, and integrates with existing programme/project and risk management guidance. Critical factors for successful delivery are:

• the right scope – investment linked to clear outcomes that support strategic objectives; goals that are realistic and based on knowledge of what is achievable

• adequate skills and resources, matched to the demands of
the programme/project

• processes for delivery that are based on approaches that
are likely to work.

GC Forum

Published 9 times a year, this online successor to GP Forum includes something for everyone across the UK government commercial community, including Procurement, IT, Property & Construction Professionals and Programme & Project Managers.

Office Of The Information Commissioner



Publications and guidance

The Office of the Information Commissioner enforces the UK Data Protection Act and is also responsible for the Freedom of Information Act. Both acts relate to information handling.

Public Audit Forum



Audit Implications of Electronic Service Delivery in the Public Sector (1 August 2003)

(.pdf, 94.2KB)

This paper sets out to explain the audit implications of the integrated electronic service delivery envisaged in the 1999 Modernising Government White Paper. In the public services, it is essential that electronic service delivery does not cause erosion of accountability. There is, therefore, a particular public sector audit need for some basic guidance on the audit implications of electronic service delivery, both for auditors and management.

Data Matching and the Role of Public Sector Auditors

Consultation paper on data matching – the need to strike a balance between protecting the public purse and the individual’s rights to privacy.

National Archives



Standards and guidance

The National Archives have developed standards and best practice guidance on all aspects of records management.

United States of America

The US Government Gateway



Biometrics Management Office

The BMO, as the Department Of Defense proponent for biometrics, will lead, consolidate, and coordinate the development, the adoption and the institutionalization of biometric technologies in CINCs/Services/Agencies, to enhance Joint Service interoperability and warfighter operational effectiveness.

Carnegie Mellon Software Engineering Institute - CERT Coordination Center

CERT/CC is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development centre operated by Carnegie Mellon University. CERT study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site. See also their TECH TIPS.

Department of Justice

Advice on managing fraud including  Internet fraud. See also notes on the "Guidelines for FBI National Security Investigations and Foreign Intelligence Collection".

Federal Agency Security Practices

The FASP site contains security policies, procedures and practices and, a Frequently Asked Questions section. 

Federal Computer Incident Response Center

FedCIRC is the central coordination and analysis facility dealing with computer security related issues affecting the civilian agencies and departments of the US Federal Government. Federal Information Security Management Act - or for something lighter, try the Wireless Security Quiz (.pdf, 779KB). The Library is here.

Federal Trade Commission

Advice on consumer protection including awareness of Internet fraud, identity theft The FTC report ID Theft: When Bad Things Happen To Your Good Name is a must.

JFMIP (Joint Financial Management Improvement Program)

The JFMIP is a joint and cooperative undertaking of the U.S. Department of the Treasury, the General Accounting Office, the Office of Management and Budget, and the Office of Personnel Management working in cooperation with each other and other agencies to improve financial management practices in government. Objectives include developing systems requirements, communicating and explaining Federal and agency needs, providing agencies and vendors with information to improve financial systems, ensuring that products meet relevant system requirements and simplifying the procurement process.

See archives.

National Archives and Records Administration

NARA is an independent US federal agency that preserves the nation's history and oversees the management of all federal records. Guidance products have been developed as part of the Electronic Records Management Initiative - see also Policy & Guidance, and FAQs of electronic records management..

National Infrastructure Protection Center

The NIPC's mission is to serve as the U.S. government's focal point for threat assessment, warning, investigation, and response for threats or attacks against our critical infrastructures.

National Information Assurance Partnership

A U.S. Government initiative designed to meet the security testing, evaluation, and assessment needs of both information technology producers and consumers. NIAP's library offers numerous IT security policy and guidance documents for downloading.

National Institute of Standards and Technology

NIST Computer Security Resource Center - many specialist publications on different aspects of information security, including the Computer Security Incident handling Guide (.zip, 1.6MB).

National Security Agency: Security Recommendation Guides

The National Security Agency is the Nation's cryptologic organization coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information.

President's Critical Infrastructure
Protection Board

The National Strategy to Secure Cyberspace is part of an overall effort to protect the Nation and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets.

The General Accounting Office

Best Practice Reviews - Information Technology

US State/Local Gateway

Federal interagency project developed to give state and local government officials and employees easy access to federal information.

For enquiries or comments about this site, please use our Feedback form.