The Board is responsible for the governance of information technology (IT) and the various Information Services (IS) that accompany it.
Our governance structure is informed by the Information Technology Infrastructure Library, which contains a set of detailed practices for IT service management that focus on aligning IT services with the needs of business. The Head of IS provides the Board with a comprehensive presentation on the state of IT and information governance and associated risks annually.
The Company’s IT and information security policies, and notable changes to such, are included in the Board pack for review and noting. Independent annual reviews of the IT function are performed by auditors as a further measure of compliance and good governance. Internal Linde Group-led audits are also performed, and are based on system changes that may result in new risk formation or actions in response to high-risk areas.
Various actions are taken to monitor the effectiveness of technology and information management including reports to line management and escalation of pertinent matters to Board level.
Activities in the year
- A key focus area was the strengthening of our IT Disaster Recovery Plan and alignment of this plan with the Company’s BCM. Reviews were completed across key areas of the business and reinforcement of multiple critical response scenarios in the Customer Service Centre were implemented. This activity is expected to continue into 2018.
- There are no outstanding audit findings for 2017. Two priority cyber-attack incidents occurred. Mitigation actions commenced immediately, allowing the Company to be unaffected by the attack.
- Four operational IT risks were mitigated and closed in 2017, and two high-probability risks are being managed. The first is the risk of imminent hardware failure related to an ageing server, which is being mitigated through the outsourcing of physical server infrastructure to a service-based solution. This project will be completed by mid-2018. The second is confidentiality of information, prompted by the advent of POPI and the EU General Data Protection Regulation (GDPR) in Europe. Afrox is in the process of identifying applications and programmes that contain sensitive data and/or personal data to ensure that any future actions are applied to relevant areas. Stringent policies for access to such data are already in place with various approval levels set to control the release of such data. Some of our data is stored with The Linde Group in Germany, which is in the process of fully aligning to the GDPR relevant to its geography.
- Results of an extensive investigation on cyber security were presented to the Board, noting antivirus and security patch trends that comply with key performance indicators.
Digitalisation provides an opportunity to streamline process and improve effectiveness in most areas of our business. This will translate to cost savings, production improvements and the opportunity to utilise data collected to enhance business intelligence. Afrox is committed to safeguarding the Company from cyber threats through various IS policies and procedures.
Future focus areas
- Identify and leverage opportunities for connecting devices across the IT and Company’s technical footprint.
- Further develop the digital roadmap.
- Investigate how digital impacts can provide value-adding solutions across the business, specifically in the areas of:
- autonomous delivery;
- aided production and assisted controls;
- maintenance as a service; and
- product service offerings.
- Develop value by pursuing integrated venturing to leverage expertise within venture partnerships.