KPC ICT SRATEGIC PLAN 2015-2020 - Prokurori i · PDF fileKosovo Prosecutorial Council ICT...

REPUBLIC OF KOSOVA

KOSOVO PROSECUTORIAL COUNCIL

KPC ICT SRATEGIC PLAN 2015-2020

Kosovo Prosecutorial Council ICT Strategic Plan 2015‐2020

Page 1

Table of Contents 1 Management Summary .............................................................................................................. 9

2 Introduction ................................................................................................................................ 12

2.1 Background/ History .......................................................................................................... 12

2.2 Vision ................................................................................................................................... 13

2.3 Mission ................................................................................................................................. 13

2.4 Purpose and Scope ............................................................................................................. 13

2.5 ICT Strategy ......................................................................................................................... 14

2.6 Methodology ....................................................................................................................... 14

3 Strategic Key Area 1: Legal & Regulatory Framework ....................................................... 16

3.1 Current Position .................................................................................................................. 16

3.2 Legislative Changes Needed for Successful Introduction of ICT in KPC .................. 16

3.3 Regulatory Changes within KPC Responsibility ........................................................... 17

3.4 Memorandum of Understanding with other Institutions ............................................ 17

4 Strategic Key Area 2 – Application Landscape .................................................................... 19


4.2 Rationale .............................................................................................................................. 19

4.3 Benefits ................................................................................................................................. 20

5 Strategic Key Area 3 ‐ ICT infrastructure .............................................................................. 21


5.2 Setting ‐Up Data Center According To Well‐Defined Standards ................................ 21

5.3 Establishing Physical Separation of the KPC Assets ..................................................... 23

5.4 Implementing Data Center Disaster Recovery Plan ...................................................... 25

5.5 Implementing Data Center Resilience ............................................................................. 26

5.6 Providing of Adequate Patch Rooms .............................................................................. 27

5.7 Implementing Virtualization of the Servers ................................................................... 28

5.8 Implementing Adequate Scanning Devices .................................................................... 29

5.9 Implementing Adequate Data Backups .......................................................................... 30

5.10 Implementing Data Archiving .......................................................................................... 31

5.11 Implement Adequate Networks ....................................................................................... 31

5.12 Providing of Adequate Desktops ..................................................................................... 32

5.13 Providing of Telephony Services ..................................................................................... 33


Page 2

5.14 Implementing Cooling and Ventilation Systems .......................................................... 34

5.15 Providing Uninterruptible Power Supplies (UPS) ......................................................... 34

5.16 Implementing Fire Protection Systems ........................................................................... 35

6 Strategic Key Area 4 ‐ Security ................................................................................................ 36


6.2 Implementing Adequate Security Zones ........................................................................ 36

6.3 Establishing Segregation of ICT Environments and Duties ........................................ 38

6.4 Implementing Network Access Control .......................................................................... 39

6.5 Implementing User Access Management ....................................................................... 40

6.6 Implementing Physical Access Control ........................................................................... 40

6.7 Implementing Controlled Internet Access ...................................................................... 41

6.8 Ensuring Data Encryption ................................................................................................. 42

6.9 Implementing Audit Trail (Log Management) .............................................................. 43

6.10 Implementing Information Technology Risk Management ......................................... 44

7 Strategic Key Area 5 – Collaboration Solutions .................................................................. 45


7.2 Controlled Usage of E‐mail System ................................................................................ 45

7.3 Usage of New Collaboration Tools .................................................................................. 46

8 Strategic Key Area 6 ‐ Implementation Methodologies ..................................................... 48


8.2 Choice of Suitable Implementation Methodologies: Iterative Approaches ............... 48

8.3 Development of a Coherent Test Strategy ...................................................................... 50

8.4 Co‐ordination between Development and Production: ʺDevOpsʺ Approach ........... 51

8.5 Migration Path: Reuse of Existing Data ......................................................................... 52

8.6 Filling CMIS Data ............................................................................................................... 53

9 Strategic Key Area 7 ‐ Adequate Software Platform & Tools ........................................... 54

9.1 Implementing Software Architecture .............................................................................. 54

9.2 Use of Standard Protocol for Information Exchange ..................................................... 56

9.3 Selection of a Suitable Scanning Solution ....................................................................... 57

9.4 Use of Adequate Collaboration Tools .............................................................................. 57

9.5 Witness Protections Systems ............................................................................................. 58


Page 3

10 Strategic Key Area 8 ‐ Support and Maintenance ............................................................... 60


10.2 Standard ............................................................................................................................... 60

10.3 Rationale .............................................................................................................................. 60

10.4 Benefits ................................................................................................................................. 62

11 Strategic Key Area 9 ‐ Human Resources .............................................................................. 63


11.2 Rationale .............................................................................................................................. 63

11.3 Benefits ................................................................................................................................. 66

12 Strategic Key Area 10 ‐ Process Change Management ....................................................... 67


12.2 Rationale .............................................................................................................................. 67

12.3 Benefits ................................................................................................................................. 69

Annexes ............................................................................................................................................... 70

KPC ICT Strategic Plan ‐ Working Group .................................................................................. 70

Table of figures Fig. 1: The ten Strategic Key Areas of the KPC ICT Strategic Plan.............................................. 14

Fig. 2: Physical separation of the Data Center Servers between KPC and KJC ......................... 24

Fig. 3: Patch Room .............................................................................................................................. 27

Fig. 4: Security zones .......................................................................................................................... 37

Fig. 5: A proposed DevOps maturity model for KPC ................................................................... 52

Fig. 6: ICT human resources organization ...................................................................................... 64

Fig. 6: Accompanying activities for the five phases of change management ............................ 68

Fig. 7: A 7‐steps communication strategy ....................................................................................... 68

Referenced documents Reference Document Name

RD1 KJC ICT Strategy 2012‐2017

RD2 Assessment Report ‘’Building capacity of the Kosovo Judicial Council on

Information Communication Technology’’‐2011

RD3 Law on the Kosovo Prosecutorial Council

RD4 Law on State Prosecutor

RD5 ICT/CMIS Project Proposal

RD6 Regional conference on cooperation on the use of ICT in Judiciaries in the

western Balkans

RD7 KPC ICT strategic plan 2015‐2020 – Kick off meeting

RD8 Analysis of the Legal Framework Relevant for Transformation of the Existing

Manual Judiciary into an e‐Judiciary, February 2015


Page 5

Glossary ADKAR Awareness, Desire, Knowledge, Ability and Reinforcement ‐ The ADKAR®

Model, introduced by Prosci (a leader company in benchmarking research and

change management products), is one of the most popular and effective change

management model, based on the individual progression.

ANSI/TIA‐

942

American National Standard Institute‐ Telecommunication Industry

Association ‐ A standard providing guidelines for building data centres and

computer rooms.

CMDB Configuration Management Database ‐ A database that contains information

about IT assets, as well as the relationships between these components.

CMIS Case Management Information System ‐ A project aiming to automate the work

in all prosecution offices in Kosovo.

CPU Central Processing Unit ‐ The main component of a computer, containing the

logic circuitry that performs the instructions of a computerʹs programs.

DBMS Database Management System ‐ A program enabling to create, to store, to

modify, and to extract information from a database.

DevOps Development and Operations – A way of collaborating and communicating

between development and operations teams; that encompass both

organisational aspects and ad‐hoc tooling.

DMZ Demilitarized zone ‐ A computer or small network inserted as a ʺneutral zoneʺ

between a trusted, private network and an untrusted, public network. It

prevents outside users from getting direct access to a server that holds private

data.

DRP Data Center Recovery Plan ‐ A documented plan to ensure business continuity,

by recovering and protecting an IT infrastructure in the event of a disaster.

DTAP Development, Test, Acceptance and Production – An acronym used to describe

the four steps of software implementation.

Forefront

TMG

Forefront Threat Management Gateway (TMG) is commonly deployed as a

secure web gateway with advanced web protection capabilities.

ICT Information and Communication Technologies ‐ A generic term to describe all

communication devices, computers, networks, as well as various associated

services or applications.

IMG International Management Group – A private company providing

administrative and financial management for the CMIS project.


Page 6

IP Internet Protocol ‐ The primary network protocol used on the Internet.

ISIS Image and Scanner Interface Specification – A standard interface for image

scanning technologies.

ISO International Standardization Organization – The international organization

that develops and publishes international standards.

ISTQB International Software Testing Qualifications Board ‐ ISTQB is an international

software testing qualification certification organization.

ITIL IT Infrastructure Library. ITIL is a set of procedures that are used to implement

a lifecycle framework for IT Service Management.

ITSM IT Service Management ‐ A process‐based approach to align the delivery of IT

services with the needs of the organization that uses them.

KJC Kosovo Judicial Council

KPC Kosovo Prosecutorial Council

KPI Key Performance Indicator ‐ A quantifiable measures that can be used to

evaluate the performance of an activity in terms of meeting its strategic and

operational goals.

LAN Local Area Network ‐ A local area network is a telecommunication network

that interconnects computers within a small geographic area (e.g. within an

office building).

LCM Life Cycle Management ‐ The process of managing the entire lifecycle of a

product.

MPA Ministry of Public Administration

MS Microsoft Corporation

NAC Network Access Control ‐ A method of bolstering the security of a proprietary

network, by restricting the availability of network resources to endpoint

devices that comply with a defined security policy

NAS Network Access Server ‐ A server that performs authentication and

authorization functions for potential users by verifying logon information

RACI Responsible; Accountable, Consulted, Informed ‐ A responsibility assignment

matrix, also known as RACI matrix, is a way to describe the participation by the

stakeholders in completing tasks. It helps in clarifying roles and responsibilities

in cross‐functional organizations, by assigning clear ownership for each task.

RAD Rapid Application Development – An iterative approach for software

development, that relies on the concept of prototype.


Page 7

RAM Random Access Memory ‐ The computer storage location, allowing data to be

stored and accessed quickly.

SAN Storage Area Network ‐ A high‐speed network that interconnects storage

devices to servers.

SANE Scanner Access Now Easy ‐ An application programming interface providing

standardized access to scanner hardware.

SLA Service Level Agreement ‐ A contract between a provider of services and a

client, that specifies what services will be provided and with what level of

quality.

SOAP Simple Object Access Protocol – The communication protocol used by Web

Services

SQL Structured Query Language ‐ A specific programming language allowing to

manage data stored in a relational database management system.

SWOT Strengths, Weaknesses, Opportunities, Threats ‐ A SWOT analysis is a

structured method used allowing to evaluate the strengths, weaknesses,

opportunities and threats of an organization.

TWAIN TWAIN is an application programming interface that enables the

communication between a document management system and a scanner.

UDDI Universal Description, Discovery and Integration – A registry allowing to

publish and find Web Services

UPS Uninterrupted Power Supplies – An electrical device (battery) providing power

to IT systems when the main power source fails.

URL Uniform Resource Locator ‐ A generic term for all types of names and

addresses that refer to objects on the World Wide Web.

VOIP Voice Over IP ‐ A set of technologies allowing the delivery of telephone

calls (voice communications) over Internet – instead of using a regular, analog

line.

WAN Wide Area Network ‐ A wide area network is a geographically dispersed

telecommunication network, used to exchange data on a broad area (e.g., on a

regional, national or international level) through leased lines.

WIA Windows Image Acquisition ‐ A Microsoft application programming

interface enabling document management systems to communicate with

scanners.

WiKi A web application (web site), implemented collaboratively by a community,

which allows their members to add, modify or delete content.


Page 8

WSDL Web Services Description Language ‐ A XML based language, providing a

standard description of a Web Service.

XML Extensible Mark‐up Language ‐ A mark‐up language (text‐based format)

designed to describe data.


Page 9

Management Summary

The Kosovo Prosecutorial Council (KPC) and the Kosovo Judiciary Council (KJC) are

currently undertaking, in close co‐operation, a comprehensive reform of the prosecutorial

and juridical system of Kosovo. This reform includes the introduction of Information

Communication Technology (ICT) and the development of a Case Management Information

System (CMIS). The key objective of introduction of CMIS will be the increase of the

efficiency, accountability and transparency of courts and prosecutors.

In order to proceed in building up an ICT environment which complies with the current and

future needs of the stakeholders, as well as with the CMIS requirements, KPC has decided to

elaborate an ICT strategic plan for the period 2015‐2020. This ICT strategic plan will be used

as the basis for future ICT planning and investment, providing a sound basis for investment

decisions inside the KPC.

The accomplishment of the ʺe‐Prosecutionʺ vision that underlies this strategic plan occurs

through a complete, harmonized and coordinated realization of ten “Strategic Key Areas”,

being:

1. Strategic Key Area 1: Legal & Regulatory Framework ‐ Even though there is no

explicit indication on the usage of ICT in the law, the prescribed responsibilities of

KPC are impossible to achieve in an efficient and effective way without the

introduction of ICT. Therefore, KPC shall undertake activities related to an

appropriate change of laws, sub‐laws, and policies/procedures; as well as reach

memorandums of understanding with other institutions.

2. Strategic Key Area 2: Application Landscape ‐ The importance of CMIS and its

broad functional coverage cannot be a reason to ignore additional specific

applications, which are not in the scope of the services provided by CMIS, but are

however needed by the prosecutorʹs offices and support staff in order to effectively

and efficiently fulfil their duties. In that context, KPC shall guarantee that all its

objectives will be reached thanks to the management of a complete application

landscape.

3. Strategic Key Area 3 ‐ ICT infrastructure – The implementation of an infrastructure

that complies with international standards will represent a solid basement of modern

ICT for KPC. This basement will allow to respond efficiently to the requirements of

CMIS and to other support activities. KPC shall take the necessary actions in order to

have a customizable ICT infrastructure, capacity predictable, manageable and

allowing a full control on the data and the hardware belonging to KPC.


Page 10

4. Strategic Key Area 4 – Security ‐ Considering the sensitive character of the

information processed by KPC, it is obvious that a special attention must be put on

information security and data protection. By integrating a robust information security

management system, KPC shall ensure that the product reliability, safety and

integrity will be guaranteed to the highest level of the organization.

5. Strategic Key Area 5 – Collaboration Tools – The need for sharing relevant

information among the stakeholders, despite the geographically spread organization

of the prosecutorʹs offices, is a reason to implement various collaboration solutions.

To that extent, KPC shall further develop a controlled and secured usage of e‐mail,

but shall also deploy new appropriate collaboration solutions – being internal,

oriented towards other organization or the public in general.

6. Strategic Key Area 6 ‐ Implementation Methodologies – The complexity of CMIS

justifies the adoption of suitable methodologies, in order to support the execution of

the whole project lifecycle. To this end, KPC shall proceed with the choice of an

iterative approach for the implementation, develop a coherent test strategy, ensure

the coordination between the development and operation teams and carry out a

reasoned data migration activity.

7. Strategic Key Area 7 ‐ Adequate Software Platform & Tools ‐ Taking into account

the ambitions of CMIS and the other supporting systems, KPC shall deploy state‐of‐

the art technologies for their implementation. However, for the sake of minimizing

costs and efforts, the preference shall be put on solution that are compliant with the

current architectural choices already jointly made by KPC & KJC. Furthermore, the

need for interoperability with other institutions also requires the use of standard

protocols allowing the exchange of information.

8. Strategic Key Area 8 ‐ Support and Maintenance ‐ KPC shall organize support

services according to de facto recognized standards (IT Infrastructure Library ‐ITIL).

ITIL provides documented procedures in order to ensure both Service Support and

Service Delivery. Service Support focuses on the users of the IT services and is

primarily concerned with ensuring that they have access to the appropriate services

to support the business functions. The Service Delivery is the set of proactive services

that KPC shall deliver in order to provide an adequate support framework to the end‐

users.

9. Strategic Key Area 9 ‐ Human Resources ‐ KPC has already at disposal valuable ICT

resources. However, the implementation of all ambitions of this strategic plan

requires having at disposal a wide range of skilled ICT profiles. To this end, KPC

shall undertake structural measures (on the long term) in order to develop a

multiannual hiring plan and to maintain the existing competences. Meanwhile, until

the ICT staff does not include all the required resources, a partial and controlled

outsourcing of resources shall be envisaged.


Page 11

10. Strategic Key Area 10 ‐ Process Change Management ‐ KPC perfectly understands

that the deployment of new ICT tools affects directly the day‐to‐day activities of its

officers. Besides significant training efforts already undertaken, KPC shall also set‐up

a broader change management policy, to be implemented through a comprehensive

communication plan. Thanks to an effective application of this change management

strategy, the KPC staff will feel supported and will understand the change process

and the underlying vision.


Page 12

1. Introduction

1.1 Background/ History The Kosovo Prosecutorial Council (KPC) is a fully independent institution in the

performance of its function, established by regular law as of 1 January 2011. It ensures that

all persons have equal access to justice and that prosecutors exercise their function in an

independent, professional and impartial manner.

The Kosovo Prosecutorial System includes:

seven basic prosecution offices, each divided in three departments: general department;

department for juveniles, and serious crimes department;

one appeal prosecution office, divided into general and serious crimes departments;

one special prosecution office; and

The Chief State Prosecution office.

In the past, KPC was not included in the development of the ICT strategy for courts in

Kosovo. In order to remediate to this situation, KPC, in close co‐operation with the Kosovo

Judiciary Council (KJC), are currently undertaking a comprehensive reform of the

prosecutorial and juridical system of Kosovo. This reform includes the introduction of

Information Communication Technology (ICT) and the development of a Case Management

Information System (CMIS). The key objective of introduction of CMIS will be to increase the

efficiency, accountability and transparency of courts and prosecutor’s.

In this context, KPC and KJC have agreed to combine their efforts, in order to implement this

case management system that will be used both by the judiciary and prosecutorial systems of

Kosovo.

The CMIS project will have four‐year duration as per plan, and will be divided into two

major phases:

The first phase is a preparatory phase; with estimated duration of one year. The main

objective of this phase is to develop the functional specifications for the CMIS

application.

The main phase of the CMIS project should last for three years. Its main objective is to

develop and to fully introduce CMIS in all courts and prosecutorial offices in Kosovo.

In order to proceed in building up an ICT environment which complies with the current and

future needs of the stakeholders, as well as with the CMIS requirements, KPC has decided to

elaborate an ICT strategic plan for the period 2015‐2020. This activity is made possible thanks

to the support of the KPC Working Group, representatives of KPC ICT as well as

international experts.

The financial support to the ICT/CMIS project and to this ICT strategic plan is provided by

the Government of Norway.


Page 13

1.2 Vision Kosovo Prosecutorial Council, through Information and Communication Technologies, is

committed to create an e‐Prosecution environment which will enable the availability of

digital, online, connected and collaborative services, offered not only to KPC but to all

related stakeholders.

1.3 Mission The implementation of modern Information and Communication Technologies will provide

secure, reliable and quality services for the cases management, as a primary activity of the

Kosovo Prosecutorial Council and for other activities; this in order to contribute to the

overall increase of efficiency, accountability and transparency of the prosecutorial system.

1.4 Purpose and Scope The purpose of the KPC ICT strategic plan, which is further described in this document, is

the response to the e‐Prosecution vision. E‐Prosecution is an opportunity in making available

up to date, accurate and secured information to the prosecutors, to the prosecutor’s offices, to

the support staff as well as to the citizens. Therefore, e‐Prosecution is expected in

contributing to increase the efficiency, accountability and transparency of prosecutorʹs

activities. Eventually, the aim is to comply with European e‐Justice overall strategy.

This ICT strategic plan intends to detail the high level strategic directions and plans for the

full range of ICT for the next five years. It demonstrates the role of ICT as a powerful set of

tools enabling the achievement of the KPC vision – in particular through the implementation

of CMIS.

Moreover, this ICT strategic plan:

Shall be used as the basis for future ICT planning and investment, providing a sound

basis for investment decisions inside the KPC;

Outlines where efficiencies can be made and costs reduced through improved use of

technology, resulting in further reduction of paper, workload and travel costs; and

Shall be treated as a living document that may change depending on new requirements

or opportunities caused by the rapid evolution of new technology.

This ICT strategic plan must ensure that it is aligned with wider KPC priorities, ICT

directions and budget funding.

In addition, it has to be noticed that both KPC and KJC use the same ICT environment.

Therefore, the guidelines expressed in the KJC ICT Strategic Plan 2012‐2017 are to be used as

a framework for the elaboration of this KPC ICT Strategic Plan.


Page 14

1.5 ICT Strategy KPC will accomplish his vision and mission through ten main groups of activities described

in this ICT Strategic Plan. These groups of related activities are imagined and presented as

ʺStrategic Key Areasʺ and are exposed as follows:

Fig. 1: The ten Strategic Key Areas of the KPC ICT Strategic Plan

Those Strategic Key Areas are described in greater details in the remaining of this document.

Implementing partially only one or some of the Strategic Key Areas will not help, nor give

results and clear measurable accomplishments at the end of this ICT Strategic Plan. Only a

complete, harmonized and coordinated realization of all strategic key areas will enable KPC

to achieve his vision.

In order to efficiently implement each Strategic Key Area, the current situation of KPC

regarding ICT is described. According to this current situation several domain of activities

are described per Strategic Key Area. Those domains of activities will enable the Key

Strategic Area to be implemented as a whole.

1.6 Methodology Step 1: Analysis of the present situation: where are we, assessing strengths and

weaknesses? This process is referred to as ʺSWOTʺ: strengths, weaknesses, opportunities,

and threats. This first step is conducted through workshops with small groups (support

staff, prosecutors and ICT staff) member of the KPC Working Group dedicated to this


Page 15

ICT Strategic Plan. In addition, a questionnaire is provided to the members of the

Working Group in order to express their requirements.

Step 2: Elaboration of the future: where do we want to go, what do we need: envisioned

state and choices. Make a gap analysis. Identify key issues, questions, choices and actions

to be addressed as part of this ICT Strategic Plan. The actions must be specific,

measurable, achievable, results‐oriented, and time and cost limited. The deliverable of

this step is the draft ICT Strategic Plan, which is submitted to the stakeholders for

comments and review.

Step 3: Agreement upon strategic actions to reach the goals and address key issues

identified. The deliverable of this step is the final ICT Strategic Plan approved by all

stakeholders.


Page 16

2. Strategic Key Area 1: Legal & Regulatory Framework

2.1 Current Position The full introduction of ICT in the KPC, as further described in this document, will represent

a major change in the working procedure undertaken by management, prosecutors and

support staff. Currently, the legislative and regulatory basis in Kosovo has in scope to

support old manual (“paper and pen” based) systems. This means that the cases are still

manually registered in a register, and this register, together with related paper documents,

are the only official documents that are considered as having force of law.

Even though there is no explicit indication on the usage of ICT in the law, it can be

reasonably assumed that the prescribed responsibilities of KPC are impossible to achieve in

an efficient and effective way without the introduction of ICT. As an independent institution,

KPC has legitimacy to claim its responsibility for introduction of ICT as an essential

precondition for fulfilment of its competences and responsibilities provided by law.

On this regard, to pave the way for introduction of the ICT in the prosecution offices, a

thorough analysis of the existing domestic legal framework (laws and by‐ laws) that is

relevant for transformation of the existing manual work into e‐work shall be conducted. An

identical assessment has been conducted for the purpose of the introduction of the ICT

solutions inside KJC, in particular for the KJC CMIS Project (cfr. RD8).

With the aim of enabling full introduction of ICT solutions in to the KPC, it will be needed

during the implementation of this ICT strategy to undertake activities related to:

Changing of laws;

Changing sub‐laws, policies/procedures; and

Reaching memorandums of understanding with other institutions.

2.2 Legislative Changes Needed for Successful Introduction of ICT in KPC

Initiation of legislative changes shall be a constant activity of KPC to monitor possible

improvements that ICT can bring to prosecution offices, support staff, citizens; as well as to

timely start with initiatives for amending respective legislation.

For the purpose of initiating legislative changes, the laws currently in force will require to be

amended through appropriate legislative procedures. To this end, KPC shall:

Submit amendments to the law in order to ensure clear authority and responsibility of

KPC for implementation, coordination and supervision of the uniform introduction of

ICT technologies;

Request authorizations to receive financing and directly manage donors for ICT projects

in judiciary;


Page 17

Initiate legislative changes to the procedural laws, in order to accommodate effective and

efficient usage of ICT such as usage of electronic documents, usage of digital signature,

electronic signature and similar ICT activities, which will be further described in this

document;

Find ways of attracting and maintaining ICT specialists. This activity aims to ensure

proper human resources which can provide adequate operational support to the ICT

strategy in its future achievements.

2.3 Regulatory Changes within KPC Responsibility As previously explained, the introduction of ICT in the KPC will represent a major change in

the working procedure undertaken by management, prosecutors and support staff.

Different work processes such as data storage, archiving, backups, case flow, monitoring of

performances, assignment of tasks, hiring procedures and other activities prescribed by law

will have to be performed in a different way than in the current manual procedures.

This adaptation of working procedures needs to have a regulatory basis. Therefore, KPC

shall examine current sub‐laws, rules and procedures that regulate the work of prosecutions

offices and support staff, as well as the operations and systematization of work posts in

order to:

Make amendments to existing sub‐laws, rules or procedures;

Create new sub‐laws, rules or procedures.

These amended or new sub‐laws, rules and procedures will regulate the usage of ICT

(hardware, security, networking, internet, applications, etc.) as described in the next strategic

key areas, further in this document.

2.4 Memorandum of Understanding with other Institutions The legacy is often a burden to start from a new blank page. This is the case with all ICT

infrastructures (server rooms, routers, switches, networks) that are commonly used by both

KPC and KJC; as well as for different software licenses that are provided by the Ministry of

Public Administration (MPA).

Common usage of the same infrastructure can be a source of ambiguity in case of incidents,

maintenance and upgrade of the existing hardware. In addition, the provision of the

software licenses by the MPA is also a source of uncertainty. Indeed, the current laws

support this procurement; but there are no clear indications that KPC, as an independent

institution, will still be granted to use these licenses in the future as well.


Page 18

To avoid those uncertainty situations for the future, KPC shall:

1. Initiate a memorandum of understanding with KJC in order to have:

A clear separation of duties: who does what in different cases as far as the shared

infrastructure is concerned (under the form of a responsibility assignment matrix ‐

aka ʺRACIʺ matrix);

The possibility of managing in the future the routers and switches by his own KPC

ICT staff;

The possibility to order, manage and install its own hardware inside the data centres.

2. Initiate a memorandum of understanding with the MPA in order to agree that:

Software licenses provided by MPA will remain available in the future for KPC;

The usage of the current fibre network lines in different regional offices will be

guaranteed in the future;

The remaining regional offices that don’t have fibre network lines will be linked with

those lines ‐ when this will be possible by MPA;

Telephony (ʺVoice over IP [ʺVoIPʺ]) services for KPC will be provided by MPA in the

future as well.

3. Initiate a memorandum of understanding with other public or international institutions

in order to agree that:

The processing of the exchanged information (formatting, way of exchange,

periodicity,…) is correctly specified;

Non‐disclosure agreements to keep information protected are in place;

The service which is provided by KPC or other institutions will be available in the

future.


Page 19

3. Strategic Key Area 2 – Application Landscape

3.1 Current Position As stated in the introduction, this ICT Strategic Plan mainly focuses on key areas necessary

to respond to the CMIS requirements. CMIS is the main application that will be used by the

prosecutorʹs offices, in order to increase the efficiency, accountability and transparency of

their activities. Among others, CMIS will allow the management of electronic files (case

registration, creation and modification of registries, delivery of cases, etc.), the automation of

working processes (case analysis and processing, tracking of case status…), calendar and

scheduling activities, as well as the production of various statistics and reports.

The detailed functional specifications for CMIS will be elaborated together with the selected

software company responsible for the development of CMIS and the KPC Working Group.

The importance of CMIS and its broad functional coverage cannot be a reason to ignore

additional specific applications, which are not in the scope of the services provided by CMIS,

but are however needed by the prosecutorʹs offices and support staff in order to effectively

and efficiently fulfil their duties.

In this context, the application landscape to be considered also covers:

Specific human resources applications for prosecutors and support staff; allowing a.o.

the management of positions (application for a position), personal files management,

training management and follow‐up, evaluation of performances, holidays management,

various reporting…

The management of car pool (cars registration, parts registration, follow‐up of warranty

periods, servicing and maintenance…);

Follow‐up of entry and exit of warehouses;

An application dedicated to the protection and assistance of the victims;

Financial management (budget planning, management of invoices for external

stakeholders, …);

A comprehensive Web portal, allowing interconnections with CMIS.

3.2 Rationale Besides the implementation of CMIS, in order to guarantee that all its ambitions will be

reflected in this application landscape, KPC shall, with the support of the KPC Working

Group:

Establish a comprehensive list of new applications to be built and the current

applications to be migrated;

Merge and consolidate applications, in order to avoid having too much applications in

the landscape;


Page 20

Prioritize the resulting list: essential applications must be implemented (or migrated)

first; less critical one can be postponed or omitted;

Establish the detailed functional specifications for these applications before their

implementation.

This activity will provide the basis on which:

Decisions will be made about what KPC ICT will do over the whole strategic plan

duration;

The required budget for the implementation landscape will be quantified.

3.3 Benefits An optimized and controlled application landscape; which enables:

A complete coverage of the needs;

A mitigation of the risks induced by over‐complexity; and

A corresponding reduction of costs.


Page 21

4. Strategic Key Area 3 - ICT infrastructure

4.1 Current Position With regard to KPC ambitions, the current ICT infrastructure that is at its disposal is quite

limited. Currently, some of that hardware is fully functional, like Wide Area Network

(WAN) and Local Area Networks (LANs); while some other pieces of equipment have

become obsolete, such as servers and workstations.

The server rooms and most of the network enclosures are out‐dated and have no standard

security. Their management is done in coordination with KJC ICT staff. There is neither

standardized patch room data center resilience and recovery plan nor physical separation of

assets between KPC and KJC. The hardware (servers) which is in place is based on dedicated

hardware platforms per application, which implies higher costs of maintenance and sub‐

optimized usage of the hardware.

Currently, the budget to manage this infrastructure is entirely dependent on the donations

made by the EU or via bilateral agreements with EU countries. In addition, a limited amount

of ICT human resources is devoted to the management of the current server rooms.

In order to respond to those challenges, KPC shall take the necessary actions concerning the

ICT infrastructure in the following fields:

Set‐up of data center according to well‐defined standards.

Establish a physical separation of the KPC assets.

Implement a disaster recovery plan.

Implement data center resilience.

Provide adequate patch rooms.

Implement virtualization of the servers.

Deploy adequate scanning devices.

Implement adequate data backups.

Implement data archiving.

Implement adequate networks.

Provide adequate desktops.

Provide telephony services.

Implement cooling and ventilation systems.

Provide uninterruptible power supplies.

Implement fire protection systems

4.2 Setting -Up Data Center According To Well-Defined Standards

4.2.1 Current Position

The primary server room which is located at the KJC Secretariat, and delocalized server

rooms in the regional offices, are out‐dated and have no security standard. These rooms are


Page 22

completely unsuitable to be used as server rooms: the floors are not antistatic and are not

raised as they are supposed to be. The air condition systems exist but are not redundant. The

server rooms are installed in old buildings, and there is a big question about the fact that the

electric installation is appropriate. They are only protected by a lockable non‐security door.

There is no room security ‐ no access control system, no fire detection system and no fire

suppression system installed.

4.2.2 Standards

The standard which shall be applied in building‐up a new Data Center for KPC is the

Telecommunication Infrastructure Standard for Data Centres ANSI/TIA‐942.

The principal advantages of designing data centres in accordance with TIA‐942 include:

The definition of a standard telecommunications infrastructure for data centres:

‐ Structured cabling system for data centres using standardized architecture and

media.

‐ Accommodation of a wide range of applications (LAN, WAN, SAN, channels,

consoles).

‐ Accommodation of current and future protocols.

‐ Replacement of unstructured point‐to‐point cabling that uses different cabling for

different applications.

The specification for data center telecommunications pathways and spaces.

Recommendations on media and distance for applications over structured cabling.

The establishment of a standard for data center tiers to replace several proprietary

standards. The TIA data center tier standard is:

‐ A tool to evaluate existing data centres.

‐ A tool to communicate design requirements.

4.2.3 Rationale

4.2.3.1 Business needs

The new case management system CMIS, that will be implemented during the period of this

strategic plan, will need a solid infrastructure in place. To this end, a first prerequisite will be

the implementation of a new data center, which will fulfil all the needs of modern,

customizable, capacity predictable and manageable data center by the ICT staff of KPC.

A data center respecting these requirements will give to KPC the possibility to have a fully

customized environment, with full control over the data and the hardware.

4.2.3.2 Security needs

KPC ‐ as an independent institution ‐ has complex needs and a large landscape of

applications (cfr. Section 3, ʺStrategic Key Area 2 – Application Landscapeʺ). This context

requires implementing strict measures to control data security and a very sensitive approach

to manage the confidentiality of the data.


Page 23

4.2.3.3 Cost needs

Having a fully customized, controlled and up‐to‐standards data center has a cost, because

there is a need to build, to manage, maintain and administer the infrastructure related to a

data center.

With the aim of reducing the operational and maintenance costs, it has been decided to

create a common data center located in the Palace of Justice of Prishtina, for both KJC and

KPC.

In order to comply with those needs, KPC will:

Ensure that all missing equipment will be purchased and obsolete equipment will be

replaced.

Deliver the new equipment according to this strategic plan, as well as according to

technical standards or good practices.

Ensure that all security measures are taken in order to comply with the data security and

protection requirements in the data center.

Ensure that budget lines will be provided by a secured and permanent financing source,

in order to build, maintain and administer the infrastructure related to the data centers.

4.2.4 Benefits

A data center that is easily customizable, giving to KPC full control over the data and the

hardware.

A secured data center, that ensures the availability and the confidentiality of the data.

The usage of INSA/TIA‐942 international standards allows a structured system for a

management of a data center.

4.3 Establishing Physical Separation of the KPC Assets


As stated in the KJS ICT Strategic plan 2012‐2017, KJC & KPC will locate and build a

common data center in the Palace of Justice. The data center will be designed to function as a

carefully controlled environment. Throughout works on design, establishment and

maintenance of the data center, all valid technical and security standards as well as good

engineering practice will be applied.

4.3.2 Rationale

Despite the shared responsibility in managing the data center, KPC and KJC are two

independent institutions and consequently have slightly different views on:

Policies concerning the ICT;

How the data needs to be managed;

Storage;

Archiving;

Confidentiality;


Page 24

Integrity;

Availability;

Security.

In order to take in account those different views, there is a need for a physical and logical

separation inside this environment shared both by KPC and KJC.

KPC ICT department (section) shall be the only authority which will authorize accesses to

the assets belonging to KPC. Any other individuals, third‐party providers which are not

accredited by KPC will not be allowed to access stored applications and information inside

the data center. The only exception in favour of mutual usage of KPC &KJC assets can be

justified by a reduction of operational and support costs; mainly for facility management

systems (UPS, cooling & ventilations and fire protection).

Fig. 2: Physical separation of the Data Center Servers between KPC and KJC


Page 25

To this end, KPC shall:

Implement physical walls around the ICT assets which are property of KPC.

Implement temporary authorized access to those assets by third‐providers and controlled

by the KPC ICT staff.

Have the possibility to manage its own ICT third‐party providers; given that KPC will

give them credentials, in order to access KPC assets in the data center.

Take all necessary actions to have new regulation or memorandum of understanding

with KJC, in order to take in account those requirements ‐ always having in mind the

shared responsibility between KPC and KJC.

4.3.3 Benefits

Insurance that assets and the information are physically protected.

Clear responsibility on who does what when accessing physically KPC owned assets.

The possibility for KPC to manage its own assets, according to its own the objectives.

4.4 Implementing Data Center Disaster Recovery Plan


For the time being, KPC has no data center disaster recovery plan (DRP), which can ensure a

continuity of the business processes in case of disaster. The implementation of CMIS is a

major trigger to have in place a DRP, given the importance of this digital case management

information system for the prosecutors and the support staff.

4.4.2 Rationale

ʺDisaster recoveryʺ and ʺHigh availability of the systemsʺ are different concepts. Disaster

recovery is a subset, a small part of overall business continuity. It is the process of saving

data with the sole purpose of being able to recover it in the event of a disaster.

Depending on the nature of the disruption, the KPC data center overall integrity may be

untouched ‐ or it could be totally destroyed.

In order to respond to a disaster/disruption, KPC shall undertake the following activities:

Set‐up of two data centres: a ʺprimary data centerʺ, which is located in Palace of Justice in

Prishtina, and a ʺsecondary data centerʺ, that currently does not exist. The secondary

data center will serve to recover rapidly the disrupted/destroyed data, information or

system. This secondary data center needs to be physically located at some distance from

the primary one.

A DRP shall be built between KPC ICT, the facilities management of the building and the

business (working group), in order to know what are the critical systems which needs to

be recovered, how and when.


Page 26

4.4.3 Benefits

Ensure business continuity of the KPC business processes in case of disaster.

4.5 Implementing Data Center Resilience


Currently, given the limited equipment that is used by KPC, there is no resilience

implementation in the infrastructure of the data center. However, CMIS will require a high

availability, given the importance that this application will have for the efficiency of the

overall working processes inside KPC.

4.5.2 Standards

The international standard ANSI/TIA‐942, with respect to data center resilience, defines the

“minimal uptime” (i.e., the availability that can be achieved when the corresponding controls

are implemented) and it recognizes the following tiers:

TIER I II III IV

Availability 99.671% 99,749% 99,982% 99,995%

• Tier 1 = Non‐redundant capacity components (single uplink and servers).

• Tier 2 = Tier 1 + Redundant capacity components (N+1).

• Tier 3 = Tier 1 + Tier 2 + Dual‐powered equipment and multiple uplinks.

• Tier 4 = Tier 1 + Tier 2 + Tier 3 + all components are fully fault‐tolerant including uplinks,

storage, chillers, HVAC systems, servers etc. Everything is dual‐powered.

4.5.3 Rationale

Data center resiliency is the ability of a server, network, storage system, or an entire data

center, to continue operating even when there has been an equipment failure, power outage

or other disruption.

Considering the current configuration, the goal of KPC will be to achieve the Tier 2 and use

the secondary data center for the redundant capacity components. If, for budgetary reasons,

this secondary data center cannot be implemented, then the Tier 2 objective can be achieved

in the primary data center.

N+1 redundancy typically offers the advantage of additional failover transparency in the

event of component failure.

4.5.4 Benefits Business continuity of the prosecutor’s offices, prosecutors as well as the support staff is

ensured.


Page 27

4.6 Providing of Adequate Patch Rooms


Patch Rooms as such are partially implemented through network enclosures. For most of

them, those network enclosures are without any physical protection of the routers, switches

or local servers that are stored into.

4.6.2 Standards

The same standard ANSI/TIA‐942, that is to be followed up for the implementation of the

data center, is also applied for patch rooms and network enclosures.

4.6.3 Rationale

A patch room is essentially a small satellite room of the data center. It is located in all

delocalized offices. Firstly, it allows connecting the delocalized offices with the data center

through a router. Secondly, it offers the possibility to have all the workstations of the offices

interconnected through switches and patch panels (see figure below):

Fig. 3: Patch Room

In that regard, in order to comply with standards and have a full control of own

infrastructure, KPC will:

Ensure that there is patch room in each location where a LAN is in place.


Page 28

Install and locate all patch rooms in accordance with valid technical standards and

protected against unauthorized access.

Accordingly arrange and label network cables.

Provide for each patch room adequate UPS or connection to a central UPS system.

Ensure that a Life Cycle Management (LCM) for routers and switches is in place.

Provide the possibility to manage routers and switches by the ICT KPC Staff.

Find the necessary budgets lines, in order to implement in due time the LCM for the

hardware located in the patch rooms.

4.6.4 Benefits

Insurance that assets and the information are physically protected.

Clear responsibility on who does what when accessing physically KPC owned assets.

The possibility for KPC to manage its own assets, according to its own the objectives.

4.7 Implementing Virtualization of the Servers


The KPC servers present in the server rooms are all dedicated servers hosting specific

applications. Several servers are in the main server room at the KJC Secretariat, while others

are in the regional offices. Regarding their operating systems as well as their life cycle, most

of those servers are out of date.

4.7.2 Rationale

Because the current servers are dedicated servers, their CPU capacity is not optimized and

the underlying cost for this usage is much too high.

The location of the servers, which are currently for some in the central server room and for

others delocalized in the regional offices, it is not following the standards of having

centralized data center; with possibility of optimization, disaster recovery plans and data

center resilience. Even more, those servers are already obsolete and do not fulfil to the

requirements of implementing the CMIS application.

In that sense, KPC shall:

Implement the virtualization of the servers in the data center(s).

Ensure a good lifecycle management, in order to keep the virtualized servers at the right

level of usability.

4.7.3 Benefits

Going towards the virtualization of the servers (vs. dedicated servers) offers significant

benefits to KPC:

Server usage optimization: the hardware is not used only by one application but by

multiple applications. Therefore, this allows cutting down the waste of serverʹs resources,

by utilizing more efficiently the physical server resources and by provisioning each


Page 29

virtual machine with the exact amount of CPU, memory, and storage resources that it

needs.

Improved disaster recovery: by definition, a virtual machine can be configured on any

physical server, given that virtualization provides hardware abstraction capability.

Increased uptime: ability to quickly and easily move a virtual machine from one server to

another is perhaps one of the greatest single benefits of virtualization with far‐reaching

uses.

Faster server provisioning: KPC ICT can plan easier the needed capacity, because server

virtualization enables an ʺelasticʺ ability to provision the system and to deploy it at a

given time.

Cost reduction: Hardware is most often the highest cost in the data center. With

virtualization the amount of hardware used is reduced which means the cost is reduced

as well. But the cost goes well beyond that of hardware amount: lack of downtime, easier

maintenance, less electricity used. Over time, this all adds up to a significant cost savings.

4.8 Implementing Adequate Scanning Devices


For the time being, KPC has no appropriate scanning solution. This kind of system is

required in order to digitize the paper flows (documents) processed by KPC; i.e., to scan,

organize and store these documents.

4.8.2 Rationale

In order to provide suitable scanning capabilities, not only adequate hardware for scanning

is needed, but also an increased capacity of storage.

KPC shall undertake a market study in order to determine what scanning devices will be

selected, considering the CMIS requirements. At least, the following criteria shall be

evaluated:

The estimated volume of documents to be processed is obviously a key element in order

to determine the type and required speed of the selected scanners.

The possibility of having desktop scanners (for small volume and decentralized

scanning, at departmental level) and larger, centralized devices for higher volumes –

possibly multifunctional devices. Both types shall be connected to the network.

A review of the documents to be captured shall also be performed, in order to determine

the scanners capacity (A3 or larger formats, single or double sized, type of paper, black

and white vs. colour, etc…).

KPC shall select scanners that support ʺWindows Image Acquisitionʺ (WIA), TWAIN,

ʺImage and Scanner Interface Specificationʺ (ISIS) or SANE (ʺScanner Access Now Easy ʺ)

protocol. These protocols allow the scanners to communicate with the selected scanning

software (cfr § 8, ʺStrategic Key Area 7 ‐ Adequate Software Platform & Toolsʺ). They are

supported by most of the current scanners on the market.


Page 30

In addition, the volume of storage will increase significantly with the use of scanning

technologies. Therefore, with the time, this storage will become a cost and performance

burden. This burden will however be solved thanks to the implementation of data archiving

systems (such as explained in §4.10, ʺImplementing Data Archivingʺ).

In that sense, KPC shall:

Analyse according to the specifications of the new CMIS applications, what are the most

adequate scanning hardware.

Foresee sufficient storage capacity in order to cope with the volume of documents to be

scanned.

4.8.3 Benefits

Quicker access to the information.

Saved time and costs associated with case management.

Increased work productivity.

Increased security of sensitive information.

Lessened reliance on paper storage, lowering space needs and costs.

Increased flexibility in distributing documents.

4.9 Implementing Adequate Data Backups


The current backup solutions are quite straightforward. A full backup is done only for some

applications with a frequency of one hour and without database transaction logs; for other

systems there is no backup system.

4.9.2 Rationale

A more sophisticated backup system is an essential mean for recovering data following to

loss or destruction.

Besides the choice of the system, the frequency and nature of back up will depend, amongst

other factors, on the type of organization and the nature of data being processed. The

security standards for back‐up data are to be the same as for live data.

KPC does not implement database transaction logs. As a consequence, the data between last

backup and a database crash will be lost. In addition KPC, is doing a full back‐up every

hour, which means that one hour of data could be potentially lost if there is a disruption in

the service.

In order to avoid this kind of loss or destruction of data, KPC shall:

Implement a system which implements incremental backup: the purpose of an

incremental backup is to preserve and protect data by creating copies that are based on

the differences with the last backup.

Provide modern hardware and software in order to make possible the incremental

backup.


Page 31

Ensure proper life cycle management for the hardware and the software dedicated to

data backups.

4.9.3 Benefits

The benefits of incremental backups can be summarized as follows:

Less costs for KPC, given that they consume minimum storage space.

More efficiency in the work, given that they are quicker to perform ‐ i.e., the amount of

time needed to perform the backup is minimized.

4.10 Implementing Data Archiving


Currently, there is no data archiving solution implemented at KPC.

4.10.2 Rationale

Keeping available all the time the data and information progressively stored by a daily usage

can slow down the systems. Given the amount of cases processed by year at KPC and the

amount of information related to these cases, keeping those data for several years on line can

induce a serious impact on the efficiency of the new CMIS application.

In order to avoid any loss of performances due to this increasing amount of on‐line data,

KPC shall therefore put in place an adequate archiving system.

4.10.3 Benefits

Automating the data archiving process and using purpose‐built archive systems make

production systems run better, use less resources, and reduce overall storage costs.

Production performance is unaffected by information growth. Backup and recovery runs

faster, disaster recovery is less costly, and systems are easier to manage. Data moved into

archives is stored at much lower cost.

4.11 Implement Adequate Networks


Currently, only some of the Prosecutor’s Offices are connected by optical network provided

by the MPA. The other Prosecutor’s Offices are connected to the network through different

ICT providers in Kosovo; with potential breach in security.

4.11.2 Rationale

In order to have a unified and a secured networking system, KPC shall ensure that all the

Prosecutor’s Offices are connected by optical network. The service concerning the optical

network is provided by MPA. If for any reasons MPA cannot offer anymore this service, KPC


Page 32

shall make a feasibility study to connect the remaining offices with optical network and then

implement the solution accordingly.

In addition, backup connections shall be established through leased lines delivered by ICT

third providers. Potential breaches in security with lines provided by commercial companies

shall be avoided.

To this end, KPC shall:

Ensure, together with MPA, that all the regional offices will be eventually connected to

the KPC network via optical network lines, or realize feasibility study to connect the

remaining offices with optical network and then implement the solution accordingly.

Ensure that specific contracts with ICT third providers for the network are negotiated

and managed by KPC.

Provide the necessary accreditation to the ICT third providers to manage the KPC

network.

Ensure that a KPC domain/sub‐domain will be created, in order to strictly apply the own

KPC security policies.

4.11.3 Benefits

By implementing these activities, KPC will:

Contribute to increase his independency as far as ICT activities are concerned.

Ensure a better monitoring of ICT third providers.

Be able to apply his own security network policies, and therefore, to guarantee that all

necessary security requirements for CMIS (or for other KPC applications) are met.

4.12 Providing of Adequate Desktops


Each year, KPC provides some new desktop equipment and computers for prosecutor’s

offices. However, the main issue resides in the fact that more and more employees need

desktop computers for their work; and this demand cannot be satisfied with the current

desktop computers capacity. Some computers are also too old and need to be replaced with

new ones.

4.12.2 Rationale

The ICT strategy will achieve its purpose only if all end users have functional and

undisrupted access to the ICT systems put at the disposal by KPC. Every end user shall have

his/her own desktop computer connected to KPC network. A suitable desktop computer

configuration is one that normally operates Windows 7 (or later), according to the support

provided by Microsoft Corporation.


Page 33

In that regard, KPC shall:

Perform a feasibility study to virtualize the desktops.

Implement the solution according to the results of this feasibility study.

Ensure the replacement of all old desktops which are facing performance issues due to

their non‐capacity to support new versions of operating systems.

Ensure that a life cycle management is in place for all desktops.

Implement a configuration database, to maintain up‐to‐date information about the basic

information concerning a desktop computer (the year of production, performance data

[RAM, CPU], type and version of installed operating system, location of the workstation

and any other useful information).

Implement a replacement planning (either for traditional desktops or virtual desktops)

according to the configuration database information.

Ensure that there is a budget line available for the implementation of this replacement

planning, the feasibility study and the solution to be implemented according to the

feasibility study.

4.12.3 Benefits

Efficiency planning of budgets and resources.

Efficiency in the work; hence, higher satisfaction of end users.

4.13 Providing of Telephony Services


All telephonic services for KPC, based on a traditional copper‐wire system, are managed in

coordination with MPA. However in the regional offices the management of telephonic

services is done exclusively by the KPC resources.

4.13.2 Rationale

Voice over IP (VoIP) is a group of technologies allowing the delivery of audio

communications and multimedia sessions over Internet Protocol (IP) networks, such as the

Internet.

VoIP technologies are generally low‐cost and allow an efficient use of the bandwidth

available. Therefore, more and more organizations are migrating from traditional copper‐

wire telephone systems to VoIP technologies; ultimately in order to reduce their monthly

phone costs. Also, thanks to the capacity of VoIP to transport both voice and data over a

single network, infrastructure costs are also significantly reduced.

The arguments for going towards the VoIP instead of traditional copper‐wire telephone

systems are quite evident; however, this changing shall be initiated and managed by MPA.

KPC shall thus ensure that a memorandum of understanding exists between KPC and MPA;

in order to jointly agree on the possible future deployment of this technology.


Page 34

4.13.3 Benefits

Ensure the continuation of telephonic services.

4.14 Implementing Cooling and Ventilation Systems


Currently, there are no efficient cooling and ventilation systems as required by international

standards. There are air condition systems in the rooms, but they are not redundant.

4.14.2 Rationale

Cooling of the data center and or patch rooms is one of essential elements to prevent failure

of the systems.

The area of cooling in the data center is much bigger than for example in the patch rooms, so

a more complex cooling and ventilation system shall be in place in order to ensure the

continuity of the data center. This complex solution may include additional devices which

react when the temperature is going up/down, in order to monitor at time the serious

variation of temperature.

For the patch rooms, air‐conditioning systems are sufficient.

In that regard, KPC shall ensure that there are appropriate cooling systems for both data

centers and the patch rooms.

4.14.3 Benefits

Continuity of prosecutorial activities.

Avoid the overheating of servers in the data centres, which can have impact on the

performance and premature end of life; and therefore, increases the costs for KPC.

4.15 Providing Uninterruptible Power Supplies (UPS)


Currently all of the servers are connected to an UPS. UPS systems are not centralized and

most of them are out of date.

4.15.2 Rationale

To prevent single points of failure, all elements of the electrical systems, including backup

systems, shall typically be fully duplicated; and critical servers shall be connected to both the

ʺA‐sideʺ and ʺB‐sideʺ power feeds. This arrangement is often made to achieve N+1

redundancy in the systems. Static transfer switches are sometimes used to ensure

instantaneous switchover from one supply to the other, in the event of a power failure.


Page 35

Backup power consists of one or more:

Uninterruptible power supplies (UPS): an UPS is typically used to protect hardware such

as computers, data centres, telecommunication equipment or other electrical equipment

where an unexpected power disruption could cause injuries, fatalities, serious business

disruption or data loss.

Diesel / gas turbine generators: a diesel generator is the combination of a diesel engine

with an electric generator (often an alternator) to generate electrical energy, in case of

power disruption depending to the size of generator it can produce a power for the data

center for certain period of time.

KPC shall ensure that:

UPS are present in each data center, as well as in each patch rooms.

A study will be made in order to analyse the feasibility of installing appropriate

generators in case off power supply interruptions.

4.15.3 Benefits

Ensuring the continuity of prosecutorial activities

4.16 Implementing Fire Protection Systems


There are no known fire protection alarms for the current server rooms and network

enclosures at KPC; with the exception of Palace of Justice.

4.16.2 Rationale

Data centers fire protection systems shall include passive and active design elements, as well

as the implementation of fire prevention programs. Smoke detectors are usually installed to

provide early warning of a fire at its incipient stage. This allows investigation, interruption of

power, and manual fire suppression using hand held fire extinguishers before the fire grows

to a larger size.

KPC shall investigate and put in place one or more of the following fire protection systems:

Active fire protection system, such as a fire sprinkler system or a clean agent fire

suppression gaseous system, which is provided to control a full scale fire if it develops.

Passive fire protection elements include the installation of fire walls around the data

center, so a fire can be restricted to a portion of the facility for a limited time in the event

of the failure of the active fire protection systems.

Fire wall penetrations into the data server such as cable penetrations, coolant line

penetrations and air ducts, are provided with fire rated penetration assemblies, such as

fire stopping.

4.16.3 Benefits

Ensure the continuity of prosecutorial activities.


Page 36

5. Strategic Key Area 4 - Security

5.1 Current Position Security measures offered by the current ICT infrastructure as well as by ICT in general, are

quite limited.

KPC will have to ensure that all missing security measures will be put in place and will be

applied according to this strategic plan. Those measures shall also respect several technical

standards or good practices. One of the standards in this domain is ISO27001 international

standard which is recognized globally for managing risks related to the security of

information.

Considering the sensitive content of the information handled by KPC, it is obvious that a

special attention must be put on information security and data protection. By integrating a

robust information security management system, KPC shall ensure that the quality, safety,

service and product reliability of the organization have been safeguarded to the highest

level.

In order to respond to those security challenges, KPC shall take the necessary actions in the

following fields:

Implementing adequate firewalls.

Establish segregation of ICT environments and duties.

Implementing network access control.

Implementing user access management.

Implementing controlled internet access.

Ensuring data encryption controls.

Implementing audit trail.

Implementing information technology risk management.

5.2 Implementing Adequate Security Zones


Currently, firewalls are implemented in the KPC ICT infrastructure; but there is no clear

distinction between different possibilities of segregating information according to a specific

public.

5.2.2 Rationale

A firewall is a network security system that controls the incoming and outgoing network

traffic based on an applied set of rules. A firewall establishes a logical barrier between a

trusted, untrusted and demilitarized zone (DMZ). This will be the basis for a definition of

the security zones to be applied at KPC (cfr. picture below).


Page 37

Fig. 4: Security zones

DMZ security zone

In the DMZ zone, the hardware and applications which are displaying the information on

internet reside outside the firewall and all the information is public.

Trusted security zone

Trusted Security zone is the network zone inside the firewall.

All the information dedicated for the prosecutors, prosecutor’s offices and support staff will

be available on the trusted security zone. It is obvious that the confidential information

concerning only prosecutors shall be protected via username and password. All applications

with restricted information are available through this zone.

Untrusted security zone

Untrusted security zone is the network zone that is partially accessible to authorized

outsiders of KPC e.g. availability of the information (according to the laws in place)

concerning a case accessible for a citizen which is related to that case but is still inside the

firewall.

During the period of this strategic plan, KPC shall:

Conduct technical architecture to design the three security zones.

Implement logical network segregation of three security zones.

5.2.3 Benefits

Confidentiality of the information is ensured, because KPC will filter the information

accordingly for the three different security zones.


Page 38

5.3 Establishing Segregation of ICT Environments and Duties


Currently, KPC has at its disposal only two types of environments: a production

environment and development environment. All testing and demonstration activities are

performed at MPA environments. Often, the demonstrations, presentations or testing

activities are done directly in the production environment.

5.3.2 Standards

There are some standards which need to be followed‐up when segregating the ICT

environments:

1. Applications (CMIS or others) have to be developed on a development system. Besides

the ad‐hoc development tooling, this development environment also have only unit

testing capabilities (that means that each individual modules of the application are tested

in this environment by the developer).

2. Once the developer thinks that the particular components of an application are ready,

they are assembled and copied in a test environment; in order to verify that the

application (in a whole) works as expected. This test environment is supposedly

standardized and in close alignment with the production environment. Here as well, the

testing is done by KPC ICT testers according to the requirements of the prosecutors and

the support staff for each application.

3. If these tests are successful, the product is copied to an acceptance environment. During

the acceptance test, prosecutors or their delegates as well as representatives of the

support staff (end‐users) will test the product in this environment to verify whether it

meets their functional requirements.

4. If the end‐users accept the application, it is deployed in a production environment,

making it available to all users of the system.

5.3.3 Rationale

As indicated in the ICT/CMIS Project Proposal there will be a phase of development, test and

acceptance, pilot and model implementation.

Production systems need a stable environment to operate properly. Separating operational

environments from development, test and acceptance activities reduces the risks of

modifications to the operational system that could compromise the system’s integrity or

availability.

In order to fulfil these needs, KPC shall:

Ensure that the production environments are logically or physically separated from the

development, test and acceptance environments. In the production environment, only

operational data are managed. Tests or demonstration or any other non‐production

related activities in this environment will be forbidden.


Page 39

Ensure that the developersʹ access to the production environments is limited to

troubleshooting; and that all their interventions are recorded and monitored. Only

authorized users (ex: prosecutors, support staff) are granted to change/modify

information in the production environment.

Ensure that logon procedures and passwords shall be different for production and

development/test/acceptance environments.

Provide specific policies in order to manage user accounts on the different environments.

Provide procedures (controlled releases) for transferring software or hardware from

development, test and acceptance to production.

Ensure, when physical separation of development/test is not feasible, that the security

measures are equal to or higher than those required for the production environment.

5.3.4 Benefits

No security breach due to people who are not authorized to change the operational

information.

Deployment procedures in production environments will be controlled, and in this way,

the risk of having instable versions deployed in production is reduced; hence, this means

less work and fewer budget spent.

5.4 Implementing Network Access Control


There is no network access control in the current KPC network infrastructure.

5.4.2 Rationale

Network access control (NAC), also called network admission control, is a method of

bolstering the security of a proprietary network, by restricting the availability of network

resources to endpoint devices that comply with a defined security policy.

A network access server (NAS) is a server that performs authentication and authorization

functions for potential users by verifying logon information. In addition to these functions,

NAC restricts the data that each particular user can access, as well as implements anti‐threat

applications such as firewalls, antivirus software and spyware‐detection programs. NAC

also regulates and restricts the operations that individual subscribers can do once they are

connected.

In that regard, KPC shall implement a network access control.

5.4.3 Benefits

Central policy management: the network administrators use a central policy manager to

develop, deploy and manage policies. The policy manager lets administrators use the

included tests, or customize tests to meet specific requirements.


Page 40

Continuous monitoring and enforcement: NAC continuously monitors, ensuring devices

remain compliant at all times. Devices that become non‐compliant are immediately

quarantined.

Automatic and manual remediation: non‐compliant devices are quickly repaired

through automated and interactive remediation options.

5.5 Implementing User Access Management


The usersʹ administration and group policy are implemented at the domain level for ICT

department, in order to have automated management of users, computers and domain

controllers.

Additional organizational units to IT departments are created for managing resources and

administrative credentials of all staff members.

5.5.2 Rationale

In order to comply with the segregation of duties and to meet internal and external

standards and regulations, KPC will ensure that a user access management policy is in place,

in order to fulfil the following (non‐exhaustive) list of requirements:

There are different user accounts per environment (DTAP).

User accounts from development or test shall be prohibited in acceptance or production

environment or limited to troubleshooting and all activity recorded and monitored.

The usage of generic accounts is prohibited.

All user accounts are uniquely identified by a username.

A username is issued to an individual for the duration of that individual’s affiliation

within KPC.

A stricter password security policy is in place.

5.5.3 Benefits

Segregation of duties (confidentiality and the integrity of the data protected).

Tracing capacity of who does what.

Reduction of potential IT risks (e.g. the service desk can no longer reset passwords if

authentication is impossible).

Minimization of the password policyʹs impact on user productivity.

Minimization of help desk costs for password management.

5.6 Implementing Physical Access Control


Currently, there is no system controlling the access to the ICT infrastructure facilities such as

serversʹ rooms or network enclosures.


Page 41

5.6.2 Rationale

Physical access to a data center is usually restricted to selected personnel, with controls

including a layered security system. This system often starts with a security check by the

guards and then with an access control vestibule (mantraps).

Video camera surveillance, alarm systems and permanent security guards are almost always

present when the data center is large and the systems within the data center contain sensitive

information.

For the patch rooms, a closed door with a badge system is sufficient.

In order to apply those security measures KPC shall:

Ensure that physical access control system is applied in the data center’s and in the

different patch rooms.

Provide a feasibility study in order to put in place video camera surveillance and alarm

systems.

5.6.3 Benefits:

Contributing to the confidentiality and integrity of the data, through a suitable access

control.

5.7 Implementing Controlled Internet Access


Internet access is enabled to all employees throughout Kosovo prosecutorial offices. The

internet access is monitored and controlled by Microsoft Forefront Threat Management

Gateway (Forefront TMG). It offers a set of advanced web protection capabilities. However,

Forefront Client Security of TMG has been discontinued. Support is ending July 14th, 2015.

Antimalware and Antispyware definition updates will no longer be available after the end of

the support of this product.

5.7.2 Rationale

The usage of internet at work is nowadays generalized in all organizations and as such this is

an undeniable progress in work conditions and the performances of all employees

(prosecutors and support staff). However the non‐professional usage of the web can have

negative repercussions on the activities of the Prosecutor’s offices and support services.

In order to avoid those negative repercussions, KPC shall introduce controlling internet

access mechanisms like filtering the consulted content inside the organization as well as

internet usage policy.

KPC shall deploy three different levels of filters:

1. On URL level: forbidding access to specific web sites. E.g.: web sites with a video content

or sensitive information.


Page 42

2. On keywords level: defining a list of forbidden keywords, so the end user cannot access

the results if using research engines with those keywords.

3. On file type level: filter the download of certain type of files (e.g.; video, music, etc.). The

possibilities of attacks in this way are limited and the bandwidth of the ICT network is

higher.

5.7.3 Benefits

Thanks to these controls on the internet access, KPC will experiment positive impacts in the

day‐to‐day activities:

Increase of productivity.

Increase of professional usage of internet (information needed for the day to day

professional activities).

Decrease the risk of various attacks (viruses) on the ICT network.

Increase of performance on internet connections.

5.8 Ensuring Data Encryption


Currently, at KPC all the traffic within the WAN is encrypted. There is no implementation of

any encryption mechanism at the data level (databases, applications).

5.8.2 Rationale

Besides the other security mechanisms, given the high confidentiality of the data managed

by KPC, the encryption of the data around all current and future systems shall be used.

Encryption is a translation of data into a secret code. Encryption is the most effective way to

achieve data security. To read an encrypted file, it is necessary to have access to a secret key

or password that enables to decrypt it. Unencrypted data is called plain text; encrypted data

is referred to as cipher text.

KPC shall put in place the following encryptions in the network in order to protect highly

confidential data’s:

Asymmetric encryption (also called public‐key encryption): this kind of system is mainly

used for transmitting information via the Internet; as well as for Digital Signatures.

Digital signature provides the added assurances of evidence to origin, identity and status

of an electronic document, transaction or message, as well as acknowledging informed

consent by the signer.

Symmetric encryption: mainly used for e‐mail messages and document files.

KPC shall ensure as well the implementation of database encryption. The database

encryption protects the stored data because they are unreadable without exact keys.

However the performance of the database can be impacted by the encryption of the stored

data: a reasoned usage of this technique will be used.


Page 43

5.8.3 Benefits

Data protection ‐ even if the information is stolen.

Secure transmission of data from unauthorized users.

Guarantee data integrity from manipulation.

Ensure compliance with laws and regulation on data protection.

5.9 Implementing Audit Trail (Log Management)


There is no audit trail implemented at KPC, but this is a strong requirement expressed by the

prosecutors and support staff in order to comply with security challenges inside KPC.

5.9.2 Rationale

An audit trail is a process which records who has accessed a computer system and what

operations he or she has performed during a given period of time.

Considering that data integrity is a particularly sensitive topic for the prosecutors, audit trail

appears as being the best mechanism to alleviate their concerns.

KPC shall therefore implement audit trail in aggregation with appropriate tools and

procedures; not only in order to assist in detecting security violations; but also to control

performance problems, flaws in applications as well as to recover lost transactions.

This is especially a technical requirement which needs to be implemented in the CMIS

application.

5.9.3 Benefits

Individual accountability: end‐users are less likely to attempt to by‐pass security policy if

they know that their actions will be recorded in an audit log.

Reconstruction of events: when a technical problem occurs (e.g., the corruption of a data

file) audit trails can aid in the recovery process (e.g., by using the record of changes made

to reconstruct the file).

Intrusion detection: intrusion detection refers to the process of identifying attempts to

penetrate a system and gain unauthorized access. If audit trails have been designed and

implemented to record appropriate information, they can assist in intrusion detection.

Problem analysis: audit trails may also be used as on‐line tools to help identify problems

other than intrusions as they occur. This is often referred to as real‐time auditing or

monitoring.


Page 44

5.10 Implementing Information Technology Risk Management


For the time being, information technology risk management is not implemented, given that

the data and information systems are still on manual stage processing.

5.10.2 Rationale

Information technology risk is the danger of loss of confidentiality and/or integrity and/or

availability, due to an inadequate information security.

Information and the supporting applications, IT processes, databases and underlying

infrastructure are important assets of KPC and, like other important assets, KPC shall

suitably protect them. The availability, integrity and confidentiality of information assets are

essential in maintaining the regulatory and legal compliance.

Inside KPC, an information risk management (IRM) service shall be created which will have

as a function and mission:

To use sound principles of risk management : governance, objective setting, event

identification, risk assessment, risk response, control activities, information and

communication and monitoring to ensure that the confidentiality, integrity and

availability of the information is maintained at levels that are proportionate to its value

and criticality.

To require from ICT department and the KPC end‐users to bring to light that they have

designed and implemented effective operational and technical controls for the

information they manage (daily business activities and strategic planning).

To support and advice the ICT department and the KPC end‐users in the design and the

implementation of these technical and operational controls.

To assess the vulnerability of the systems, in order to show the security issues that needs

to be addressed by KPC.

5.10.3 Benefits

Confidentiality, integrity and availability of the information are completely under control

and secured.


Page 45

6. Strategic Key Area 5 – Collaboration Solutions

6.1 Current Position Physical, face‐to‐face interactions remain the preferred way of collaboration between people.

However, the geographically spread organization of prosecutorʹs offices is a reason to further

implement various collaboration solutions.

KPC has already set up some collaboration tools:

The usage of e‐mail: an adequate infrastructure for e‐mail is now in place. E‐mail is used

to communicate and to exchange valuable information across the KPC organization. E‐

mail is also now considered as a ʺstandardʺ tool that is adopted by more and more

people. KPC progressively develops an E‐mail culture, through the implementation of its

own Internet domain.

The web site http://www.kpk‐rks.org. This web site has been financed thanks to donors

and uses technologies which are not maintained nor supported by KPC ICT staff. This

web site mainly makes available :

- Public information provided to all citizens: the content of this information is updated

regularly.

- Restricted information (which requires username and password): this is a shared

library provided to prosecutors in order to exchange the information concerning their

day to day business work.

Those efforts shall be pursued by KPC, in order to provide:

Controlled usage of E‐mail system.

Usage of new collaboration tools.

6.2 Controlled Usage of E-mail System

6.2.1 Rationale

The effort to develop an E‐mail culture shall be pursued by KPC. In particular, to improve

security, the usage of certificates will be encouraged. Also, the usage of private E‐mail shall

be prohibited in the professional context.

However, KPC shall avoid the pitfalls of a too extensive usage of E‐mail:

E‐mails generate chaos. When multiple people try to use E‐mail for collaboration, the

repetitive usage of ʺReply to allʺ, ʺForward” … lead to an uncontrolled explosion of the

volume of information that is exchanged.

E‐mails create silos. In addition to the previous aspect, ʺsilos of knowledgeʺ are created,

due to the fact that the users keep this information in personal or corporate mailboxes.

E‐mails are distracting. When new mails are incoming in their mailbox, people tend to

react on a responsive mode.

E‐mails do not allow filtering the information. A user can only see if an email is

important for him by reading it. Hence, time wasted for processing non‐relevant e‐mails.


Page 46

E‐mailing is time‐consuming. Due to the increasing volumes of E‐mails exchanged,

people spend more and more time in reading their mailboxes.

As a consequence of an uncontrolled usage of E‐mails, the productivity of the people

decreases. This loss of productivity is so high that more and more companies implement

now campaigns to restrict the usage of E‐mails.

6.2.2 Benefits

E‐mails are easy to use and fast. They allow communication with individuals or group of

people.

E‐mails can be used for exchanging various types of information: documents, pictures,

audio or video media…

Providing that an ad‐hoc infrastructure is in place, the usage of E‐mails is secure. In

addition, E‐mails can be encrypted.

Usage of E‐mail is cost‐effective compared to classical way to exchange information

(post).

6.3 Usage of New Collaboration Tools

6.3.1 Rationale

Besides E‐mail, the introduction of new collaboration ICT technologies by KPC will allow to

change the working practices of the prosecutorʹs offices, by bringing together e‐mail,

calendaring, audio/web/videoconferencing, instant messaging, files management; all

combined with the notion of ʺreal‐timeʺ presence. Collaboration tools will also offer to

groups of persons having common interest and objectives, a possibility to work together –

even when physical interactions is not an option.

Collaboration focuses on the management of unstructured information (e.g.: documents,

files…). The management of structured information is addressed by dedicated IT systems or

applications (one of those being CMIS, to support the handling of cases).

There are various general and generic scenarios, relevant for KPC, which can be identified as

good candidates for working with collaboration tools: on‐line discussions, management of

virtual meeting, comment and react on documents, find required expertise (communities),

sharing of information across borders, be alerted for updates on relevant information, etc.

In order to demonstrate there are more ways than the email driven way, and that there are

more effective and efficient paths of achieving collaboration goals, a list of ʺcollaboration

scenariosʺ shall be established by KPC. These scenarios shall be classified into three types of

collaboration:

1. ʺInternal Collaborationʺ, where collaboration takes place from inside the KPC

organization; and not accessible from the external world.

2. ʺOrganizational Collaborationʺ: where the KPC organization can collaborate with other

organizations across different sectors and geographies. Think for instance the


Page 47

collaboration with KJC, or other administrations in other countries (European

institutions, judicial institutions from the Western Balkans in the field of the regional

cooperation, etc.).

3. ʺPublic collaborationʺ, where open collaboration takes place (through a web portal)

between KPC with the public or experts, possibly in other sectors. In particular, the

implementation of CMIS shall allow interactions with the web portal.

This classification is required in order to determine the appropriate collaboration tools that

are needed. A detailed assessment of the possibility of those tools shall be made in the

context of the KPC, for compliance with the general software choices, infrastructure capacity,

information security policies. This choice will also favour tools that can federate with similar

collaboration tools used by other organizations in relation with KPC. Also, those tools have

to be compliant with state and local laws.

In addition, KPC shall deploy and manage official governance. Failure to control the

diffusion of data results into a potential information leakage. The dissemination of content

also requires this governance model to monitor contributions, in order to delete

inappropriate or inaccurate information, facilitate when disagreements occur, ensure no

single voice dominates and maintain the content.

Also, the KPC shall ensure that the collaboration tools are adopted by the end‐users. It is not

because the adequate tools are made available that they will effectively use them! The KPC

will encourage the culture of openness and exchange through the usage of the new

collaboration tools. This topic is also covered in chapter 11, ʺStrategic Key Area 10 ‐ Process

Change Managementʺ.

6.3.2 Benefits

The drivers for adoption of collaboration tools for KPC are:

Increased productivity by reducing waste, improving error handling and facilitating real‐

time decision making.

Operational excellence as the quality and speed of decision making is enhanced.

Overcome time and distance constraints in an increasingly mobile and global workforce

(for instance, collaboration between the different prosecutorsʹ offices).

Traceability: a mean to audit efficiently and control the business processes according to

regulations and laws.

Sustainable know‐how management, by empowering and creating expert communities.

Partnership: a means to work in an open environment with strategic and tactical partners

to create innovative ways of performing the professional activities.

Access to new work forces that were previously inaccessible.


Page 48

7. Strategic Key Area 6 - Implementation Methodologies

7.1 Current Position CMIS is a large project, with several specific characteristics:

It covers a full lifecycle, from analysis to deployment into production.

It is planned to be implemented on a quite long period (four years).

It has to take into account the complexity of the processing and management of court

cases, and therefore, it is not guaranteed that all the requirements can be upfront locked.

To be effectively and efficiently implemented, it requires the active involvement and

feed‐back of users during all the project phases; in particular, during the analysis, the

development and the testing.

Therefore, KPC has to ensure that a standard set of phases composing the CMIS project

lifecycle will be carried out; and this, predictably, reliably and with focus towards

continuous improvement. To improve visibility, it is also required to foresee intermediate

results and a progressive validation of the project progress.

Hence, there is a need for suitable methodologies to support the execution of all the project

activities:

Choice of suitable implementation methodologies: iterative approaches.

Development of a coherent test strategy.

Co‐ordination between development and operation: DevOps approach.

Migration path: reuse of existing data.

Filling CMIS data.

7.2 Choice of Suitable Implementation Methodologies: Iterative Approaches

7.2.1 Rationale

In a ʺclassicalʺ methodological approach, also known as ʺWaterfall approachʺ, the project is

structured into distinct phases, with defined deliverables from each phase. Once a phase is

completed, the project proceeds to the next phase and there is no turning back. The major

drawback is that the users can only see the concrete results at the end of the project – and the

progress is hard to assess. As an additional consequence of this approach, the evolution of

the needs is difficult to take into account. This kind of approach leads to the so‐called

ʺTunnel effectʺ; when the user discovers after a quite long time an application that does not

fit (anymore) his requirements. This drawback is especially inconvenient when the

requirements are complex, not well defined upfront or frequently evolving.

Considering the characteristics of CMIS, KPC shall therefore avoid this approach and favour

an iterative approach. “To iterate” means to perform a project in multiple passes, each pass


Page 49

improving progressively the result, until “finished” ‐ by adding at each pass new

functionalities.

Various declinations of iterative approaches are possible; the most suitable in the context of

CMIS being:

ʺRapid Application Developmentʺ, or RAD, is an iterative method that focuses on

developing a sequence of ʺprototypesʺ. A prototype is a ʺreducedʺ construction of what

must be built in real production; that is used to validate a solution, to prove a technical

feasibility or to explore a functional behaviour. A prototype allows having a

demonstrable, concrete system to be built in as little as one or two weeks. Since it is a

concrete and quite good image of the final result, it is considered as an effective way to

get feedback from users – and therefore, to quickly take into account their possible

requirements changes.

ʺAgileʺ approaches: Scrum. The so‐called ʺAgileʺ approaches focus on human‐ and

communication‐oriented rules and on shortening the life‐cycle of a project. Several

ʺAgileʺ approaches have been developed. Among the various Agile approaches, Scrum is

the most popular. Scrum is a framework that is used to manage complex product

development. It is a lightly controlled method, which insists on frequent updating of the

progress in work through regular meetings. Therefore, there is a clear visibility on the

project development.

Before to start the project, KPC shall assess these approaches, with the aim to decide what

method would be the more appropriated.

In addition to the iterative approach, the principle of a pilot deployment of new applications

shall also be adopted by KPC. A pilot consists into the progressive deployment of the system

from a small scale (e.g.; one or two prosecutorʹs offices) to a full‐scale. This approach allows

assessment of the new system (technical, organisational, users enthusiasm), to make a better

workload estimation and to identify a priori the difficulties related to the full‐scale

deployment.

7.2.2 Benefits

Iterative approaches are well adapted to complex IT domains. They allow a rapid

feedback from the users – they discover progressively if what it is implemented is

actually what they want.

Since many things may change along the way, these approaches offer flexibility to

address evolving requirements, which can be quickly addressed in the next iteration(s).

Also, the putting into production of the different iterations is progressive. It is therefore

easy to roll‐out new functionality in stages.

This approach allows higher motivation and greater productivity: the project

deliverables are available earlier, allowing both the business users and the project team to

regularly measure the progress of the project through concrete pieces of work.


Page 50

Finally, iterative approaches allow a better risk management:

‐ one can identify soon if a project is not “feasible”;

‐ design flaws are discovered quickly;

‐ they allow leveraging lessons learned, since there is little knowledge loss between

iterations and therefore, they allow to continuously improve the process.

7.3 Development of a Coherent Test Strategy Testing is obviously a mandatory activity during the implementation of CMIS and other

applications. Due to the increasing complexity of these systems (from a technical or a

functional point of view), KPC shall systematize and automate these tests. Furthermore,

testing is not only a matter of performing limited technical tests on some part of the software.

It is also a complete process, for which KPC shall guarantee that, during the development

phases, a separation is made into two distinct, mandatory phases:

Phase 1: preparation;

Phase 2: execution.

7.3.1 Standards

KPC shall foresee various tests when developing a system. Based on the ISTQB (International

Software Testing Qualifications Board), these tests are classified according to ʺtest levelsʺ and

ʺtests typesʺ.

7.3.2 Rationale

The ʺtests levelsʺ characterize the type of tests to be undertaken at each level of the project

lifecycle:

Unit tests: aim to test the smallest testable part of the system (during the development of

the system). The purpose is to ensure that the code behaves as expected – or will behave

as expected when the system is being changed.

Integration tests: allow to test the combination of several smallest testable part of the

system into an integrated aggregate.

System tests: also known as ʹFactory testsʹ: a set of qualification tests of the whole system,

before its delivery to the users.

Acceptance tests: the qualification tests performed by the users, after delivery of the

whole system.

The ʺtests typesʺ are performed at any of the test levels. There are different tests types, the

most usual being:

Functional tests: verify the functional requirements of the system;

Non‐functional tests: test the all characteristics from the system which are non‐functional,

such as performance, availability, security, production readiness…

Non‐regression tests: aim to find defects after a major change has occurred in the system;

Usability tests: assess if the user interface is easy to use and to understand.


Page 51

KPC shall undertake the execution of these tests levels and tests type for CMIS. The

organization of testing activities shall occur through a 2‐phases procedure:

Phase 1 – Preparation: encompasses the elaboration of:

‐ A Test Strategy Document (a high‐level document, describing the complete set of

tests activities, the roles involved in these activities, their responsibilities and the

scope of the tests activities)

‐ A Test Plan (that gives detailed information required for the practical execution of

testing).

Phase 2 – Execution: consists of the test execution according to the specifications of the

Test Strategy and the Test Plan. In the context of iterative approaches, KPC shall

automate the execution of tests campaigns; in order to:

‐ Automatically run ʺtests scriptsʺ, based on the description of the tests scenarios;

‐ Have KPIs to follow tests execution and defects: quality, progress;

7.3.3 Benefits

An accurate and detailed test preparation; allowing a straightforward test execution.

A demonstration that the business requirements are met, through the execution of

acceptance tests.

Thanks to test tools automation, tests can run fast and frequently, which is cost‐effective

for applications with a long maintenance life.

Extensive and structured testing leads to the deployment in production of a more reliable

application, hence a reduction of support and maintenance costs and an increase of end‐

users confidence.

7.4 Co-ordination between Development and Production: "DevOps" Approach

7.4.1 Rationale

DevOps is a way of working, where the Development (Dev) and Operations (Ops) teams are

working closely together as one team to deliver IT services, hence: DevOps. DevOps

encompasses the implementation of continuous delivery, continuous integration, automated

testing, application monitoring and other best practices in software development and

operations. It therefore requires a certain level of maturity in the organization of IT.

Of course, it is not only a matter of organization, but also of availability of tooling in order to

automate key‐processes in the development and operations (build, testing, quality control,

configuration management, deployment).

To start a DevOps implementation program, the KPC shall first assess the current ‘as‐is’

situation of the organization in a number of different DevOps key areas. Then, KPC shall

define a ‘to‐be’ situation based on the KPC organizations requirements and budget is

defined. This ʹAs‐Isʹ – ʹTo‐Beʹ evaluation is made using a DevOps maturity model:


Page 52

Fig. 5: A proposed DevOps maturity model for KPC

Considering the current situation of KPC ICT, the Level 1 of this maturity model shall be

targeted. This level focuses on having processes documented and automated.

7.4.2 Benefits

Speed up of the production and deployment of new features and products.

Increase the reliability, stability, resilience and security of the production environment.

7.5 Migration Path: Reuse of Existing Data

7.5.1 Rationale

KPC already has at his disposal various applications or databases, containing relevant data,

or other specific, local applications developed on an ad‐hoc basis.

Whatever the new systems or applications being put in place, it would be counter‐

productive to not reuse these data. Hence, KPC shall implement a migration process; aiming

to identify the data to be migrated, to collect and to transform the existing sources and to

integrate them in the new systems.

Data migration is not only a technical process. It encompasses the following steps:

1. Identification and collection of source data, from the various existing applications ‐ or from unstructured sources, correction and enhancement (ʺdata cleansingʺ) of those

collected source data and data archiving (to reduce the amount of data that needs to be

migrated).

2. Transformation of the source data to a target compatible format.

3. Import of target data to target applications. 4. Verification that the target data conforms to business and technical constraints.

Those steps will be fully detailed by KPC during a preliminary study phase; to be

undertaken before the data migration itself.


Page 53

7.5.2 Benefits

The following benefits are consequent of a structured data migration strategy:

Improvement and extension of the data lifecycle; thanks to the reuse of the data.

Improvement of the data quality; thanks to cleansing activities and the validation of data

integrity.

Decrease of production incidents; thanks to a better data quality.

7.6 Filling CMIS Data

7.6.1 Rationale

The progressive introduction of CMIS in production requires to proper handling of the

processing of previous, current and new cases. The following scheme shall be followed as

soon as CMIS is operational:

Electronic data entry for new cases shall be performed by the KPC users as they are

received. No coexistence of manual processing and electronic data entry shall be

permitted.

All on‐going cases shall be scanned by an external company (to be selected). Together

with the KPC users, this company will perform the data entry of these cases in CMIS

according to their progress.

All old cases (closed) shall be scanned and entered in CMIS by this external company.

7.6.2 Benefits

A structured approach that guarantees the continuity between the current way of

working (manual) and the new one (electronic).

No loss of information due to the introduction of the new system.


Page 54

8. Strategic Key Area 7 - Adequate Software Platform & Tools The Software Platform & Tools activities which will be implemented during this strategic

plan are the following:

Implementing software architecture.

Use of standard protocol for information exchange.

Selection of a suitable scanning solution.

Use of adequate collaboration tools.

Implementing witness protections systems.

8.1 Implementing Software Architecture


Taking into account the ambitions of CMIS, KPC needs to deploy state‐of‐the art

technologies for its implementation.

The current de‐facto standard for the software environment is the suite of Microsoft

products. Indeed, KPC takes advantage of the benefits of an Enterprise Agreement between

MPA and Microsoft, allowing for better financial conditions for the acquisition of licenses. It

is therefore reasonable to consolidate the software choices around this suite.

8.1.2 Rationale

8.1.2.1 Licenses management

As stated in § 2.4, KPC shall initiate a memorandum of understanding with the MPA in

order to agree that software licenses provided by MPA will remain available in the future for

KPC.

However, in the event that this memorandum of understanding could not be agreed, or

should be interrupted, mitigation actions must be identified, in order to allow KPC to still

have the suitable licenses at its disposal.

KPC shall therefore turn to software markets, in order to negotiate on its own the licenses

agreements with selected software providers.

8.1.2.2 Development framework

Together with the Working Group, KPC has opted for the usage of the .Net framework for

the development of CMIS and other future KPC applications.

This framework, developed by Microsoft, provides an object‐oriented programming

environment. It allows minimization of the efforts required for software deployment.

8.1.2.3 Database system

The amount and criticality of data handled by CMIS and further applications to be

developed require the use of the Database Management System (DBMS) that is centralized


Page 55

(not disseminated), reliable (no failure), performant (short access times and the capacity to

process high data volumes), secure (protection of data) and scalable (able to cope with

increase of data volumes).

KPC shall put these requirements in the specification of CMIS, in order to get an adequate

proposal for a DMBS, which must also be compatible with the software architectural choices

previously described.

Also, for compliance with these architectural choices, current applications built on top of MS

Access and Excel shall be phased‐out and replaced by similar CMIS functions – or by

additional applications to be developed (see ʺStrategic Key Area 2 – Application

Landscapeʺ).

8.1.2.4 Reporting

Court and prosecutor’s office statistics and reports must be automatically generated. The

number and quality of reports will make it possible for every user to manage successfully

their work and case load. All manual entries in the registry and auxiliary books as well as on

case file folders have to be abandoned.

KPC shall investigate which is the most appropriate way to generate reports. There are in the

market easy reporting tools which can be implemented at KPC. The development of

customized reports by the ICT resources will have higher maintenance cost then the market

reporting tools packages.

8.1.2.5 Additional tools

The usage of complementary tools for improving the quality and efficiency of the

developments shall be ensured:

Software versioning: like Apache Subversion; a complete software versioning and

revision control system distributed as free software under the Apache License.

Test tool automation: like Visual Studio Test Professional, allowing to define, conduct

and automatically run test scenarios. JMeter, as free software under the Apache License,

can also be used for load testing (analysis and measure of the performance of the

developed application).

8.1.3 Benefits

The architectural choices are compliant with the current architectural choices already

jointly made by KPC & KJC.

In addition, the IT competence mastering this environment already exists inside KPC,

hence minimizing the efforts required for additional training.


Page 56

8.2 Use of Standard Protocol for Information Exchange


The requirement for CMIS to interoperate with IT systems of other Kosovo administrations

(e.g.; policy, civil register…) or later with other EU systems, demands the adoption of open

standards allowing the electronic bi‐directional exchange of information.

A prerequisite to this interoperation is the existence of a legal framework allowing the

availability of information under an electronic form.

8.2.2 Rationale

When the interoperability criteria have a high priority, the usage of Web Services is required.

This is the case when implementing CMIS as well as other support applications at KPC. Web

Services allow interconnecting different, heterogeneous applications ‐ no matter the

operating systems or programming languages of these applications. Web Services provide a

secure access to data; since they control access to the data and services they make available to

other applications.

Also, Web Services favour the reusability and protect applications using them from further

changes (providing that the interface of the Web Service do not change).

8.2.3 Standards

The interoperability of Web Services is possible because they rely on open standards:

XML: Extensible Mark‐up Language ‐ a mark‐up language designed to describe data.

SOAP: Simple Object Access Protocol – the communication protocol used by Web

Services.

WSDL: Web Services Description Language ‐ allowing a standard description of a Web

Service.

UDDI: Universal Description, Discovery and Integration – a registry allowing to publish

and to find Web Services.

8.2.4 Benefits

Electronic exchanges of information between systems reduce the risks of poor quality of

data, due to ʹmanualʹ replication or copy of information sources.

Web Services offer a technology allowing secure interoperability, based on standards,

independent for any platform and insulated from further changes.


Page 57

8.3 Selection of a Suitable Scanning Solution


For the time being, KPC has no appropriate scanning solution. This kind of system is

required in order to digitize the paper flows (documents) processed by KPC; i.e., to scan,

organize and store these documents.

ʺDigitizeʺ means two things:

Document scanning, which is the process of converting a paper document into an

electronic representation – or ʺimageʺ.

Data scanning, which is the ability to automatically extract and recognize specific

information in the document, in order to create indexes that will allow the further

processing of these documents by CMIS.

8.3.2 Rationale

KPC shall undertake a market analysis, in order to select an appropriate scanning solution.

The selected solution shall be able to scan both structured (like forms) and unstructured

(free‐text) documents.

Obviously, the volume of documents shall also be taken into account during the selection

process. Therefore, the proposed solution shall support both batch scanning (ʺstacksʺ of

documents for large volumes), but also the scanning of individual documents (small

volumes). The speed of scanning shall also be a key criterion, in order to provide the highest

throughput possible.

The following minimal list of requirements shall also be mentioned for the selection process:

Quality control and image optimization (ʺcleaningʺ of bad quality original documents).

Automatic recognition based on optical character recognition (OCR, printed text),

Intelligent Character Recognition (ICR handwritten text) and Optical Mark Recognition

(OMR, for among other checkboxes on pre‐printed forms).

And of course, the possibility to transfer the scanned documents and data to CMIS.

8.3.3 Benefits

A scanning solution is the cornerstone of any document management system, by allowing

the dematerialization of documents.

8.4 Use of Adequate Collaboration Tools


In ʺStrategic Key Area 5 – Collaboration ʺ, the disadvantages of using only E‐mail as a

collaboration technology; as well as the need of implementing new collaboration solutions

have been detailed.


Page 58

In addition, the web sites http://www.kpk‐rks.org uses PHP technologies, that are not

maintained nor supported by KPC ICT staff.

8.4.2 Rationale

Two families of collaboration tools shall be considered:

Synchronous collaboration tools; allowing real‐time communication and collaboration

(e.g.: messaging, chat rooms, audio conferencing, video conferencing, on‐line meetings

capacity, screen sharing for presentations, presence indication…).

Asynchronous communication tools: allowing communication and collaboration over a

period of time (e.g.: e‐mail, discussion boards, streaming audio or video, sharing of

document libraries, Wiki facilities etc.).

KPC shall undertake a market research, in order to determine the tools (commercial or open

source) that are the most suitable for its usage.

In parallel, KPC shall ensure:

The migration of the web site http://kpk‐rks.org towards a comprehensive Web portal

structure, dedicated to all prosecutorʹs offices. The portal shall allow different levels of

access control, in order for each specific prosecutor’s office to securely publish its own

public or private information.

8.4.3 Benefits

The acquisition and deployment of those solutions will allow a cost‐effective provision of the

full range of collaboration facilities, such as presented in the ʺStrategic Key Area 5 –

Collaboration ʺ.

8.5 Witness Protections Systems


There are no witness protections ICT systems, with audio and video multimedia technology,

to guarantee the confidentiality of the information.

8.5.2 Rationale

In order to ensure adequate protection for witnesses, but at the same time, to create lawful

trial environments, KPC shall invest significant efforts to design and implement witness

protection systems.

Prosecutors’ Offices will be equipped with audio and video multimedia technology. Audio

and video distortions will be used to further prevent unauthorized identity identification of

protected witnesses. Deliberate distortion or encoding of audio/video signals, is done

through an electronic device (scrambler) or /and software to prevent unauthorized reception

in ʹplainʹ or ʹreadableʹ form.


Page 59

Also, KPC shall install adequate video conferencing lines between prosecutor’s offices and

other institutions dealing with security, as well as with similar institutions abroad.

8.5.3 Benefits

Enabled remote testimony for witnesses.

Reliable protection systems for the witnesses.


Page 60

9. Strategic Key Area 8 - Support and Maintenance

9.1 Current Position The support and maintenance services are currently organized in such a way that only

responsive actions are taken by the ICT resources at KPC in case of problems – not proactive

ones.

There is a central ICT service in Prishtina which manages all aspects of ICT, and there is

decentralized ICT support staff for each regional office, which helps Prosecutor’s Offices on

and ad‐hoc basis in their daily activities.

In order to organize the support services and have more proactive vs. responsive actions,

KPC shall implement the following services:

Service Support.

Service Delivery.

9.2 Standard KPC shall organize the support services based on the IT Infrastructure Library® (ITIL). ITIL

is the most widely accepted approach to IT Service Management (ITSM) in the world. It

consists of the best practice framework that has been drawn from both public and private

sectors internationally. It describes how IT resources have to be organized to deliver business

value, by documenting the processes, functions and roles of ITSM.

9.3 Rationale Given that ITIL provides a large framework of possibilities to be used, KPC shall apply the

following services to be delivered by ICT as described in ITIL:

Service Support, and

Service Delivery.

9.3.1 Service Support

The service support focuses on the Users of the IT services and is primarily concerned with

ensuring that they have access to the appropriate services to support the business functions.

In that sense, KPC shall ensure that a service desk is in place which provides the following

services to the end‐users:

Incident Management: is about restoring the normal services in order to minimize the

adverse impact on the prosecutors and support staff activities, and to ensure that the best

possible levels of service quality and availability are maintained. In that regard, the KPC

service desk shall :

– Implement workflow process of incident management (escalation and resolution);

– Classify the incidents;


Page 61

– Assess impact and urgency;

– Allocate a priority.

Problem Management: is about the investigation of an unknown underlying cause of

one or more incidents, in order to propose ‘structural changes’ and to avoid the

repetition of those incidents in the future.

Configuration Management: is about providing accurate information about the ICT

assets of KPC. In that regard, the KPC service desk shall implement and maintain a

configuration management data base (CMDB).

Deployment (release management): is a collection of authorized changes into the

production environment. It consists of a number of problem fixes and enhancements to

the service and it can include software, hardware and documentation.

Change Management: is the ability to manage the volume of changes needed by KPC,

with a minimum adverse impact on services. In that sense, the KPC service desk will:

– Ensure that impacts, costs and risks are assessed;

– Ensure that all changes are authorized;

– Provide control through a standard framework and discipline for changes.

9.3.2 Service Delivery

The Service Delivery is the set of proactive services that KPC must deliver in order to

provide an adequate support to the end‐users. To this end, KPC shall implement the

following:

Service Level Agreement (SLA): is a ʺcontractʺ between end‐users and KPC, to ensure

that all ICT services are:

– Agreed upon with the prosecutors, prosecutor’s offices and support staff;

– Actually delivered in accordance with the agreement in order to meet business needs.

Financial Management of ICT services: the objective of this service is to manage the:

– Budgeting: predict and control the spending of money, and

– Accounting: identify and monitor the actual costs of ICT services.

Capacity Management: is about having the right capacity at the right place at the right

time at the right cost. The scope of capacity management mainly includes the hardware,

the software, the networks and, potentially, the people.

Continuity Management: is about the prevention and recovery, in order to reduce risks

through counter measures, to evaluate recovery options and to select the suitable

recovery options.

Availability Management: the percentage of the agreed service hours for which the

component or the service is available. The objective is to optimize the capability of the

ICT to deliver cost effective and sustained level of availability that enables the end‐users

to satisfy their business objectives.


Page 62

9.4 Benefits ITIL will provide to KPC a systematic and professional approach for the management of IT

service provision and will offer to the users a huge range of benefits:

Reduced costs.

Improved IT services through the use of proven ʺBest Practiceʺ processes.

Improved customer satisfaction through a more professional approach to service

delivery.

Standards and guidance.

Improved productivity.

Improved use of skills and experience. Improved delivery of third party services through

the specification of ITIL or ISO 20000 as the standard for service delivery in services

procurements.


Page 63

10. Strategic Key Area 9 - Human Resources

10.1 Current Position Even if KPC has already at disposal a valuable pool of IT competences, the implementation

and maintenance of CMIS (and other applications) require having at disposal a wide range of

skilled ICT profiles.

However, skilled ICT profiles remain difficult to hire and to retain. This situation is due to

one side, to the increasing demand for these competences in Kosovo; and on the other side,

to the relative high market salary applicable in this professional sector. Furthermore, salaries

are fixed in the public sector: this situation makes the difficulty even higher for KPC to have

at disposal the required human resource basis.

In addition, all the current hiring procedures and management of the information concerning

civil servants are centrally managed by the MPA. Moreover, the procedures which needs to

be followed up concerning the hiring of new people provided by the MPA are very heavy

and restricted and not adapted to the requirements of KPC.

Therefore, both ad‐hoc and structural measures (on the long term) must be taken to remedy

this situation. In that sense the following will be ensured by KPC during this strategic plan:

Implement Regulatory Changes.

Development of multiannual hiring plan.

Maintaining existing competences.

Outsourcing of resources.

Organization of the support team.

End‐Users training: Training Officers.

10.2 Rationale

10.2.1 Implement Regulatory Changes

As described in the §2.3 Regulatory Changes within KPC’s responsibility, KPC shall adapt

the working procedures which needs to have a regulatory basis.

10.2.2 Development of the Multiannual Hiring Plan

KPC shall re‐enforce a strong in‐house competence team, made of various profiles that are

needed for the implementation of this strategic plan. At least, for the first year of the strategic

plan, the list of profiles to be found includes (but not limited to):


Page 64

Fig. 6: ICT human resources organization

The Infrastructure and Software Units are operating under the leading of the Head of ICT.

The IRM Security Officer is a specialized profile in Information Risk Management, such as

explained in § 5.10, ʺImplementing Information Technology Risk Managementʺ.

The description of these profiles, their priority, the process of selection of experts and their

required amount shall be detailed in a hiring plan, which is to be revised on an annual basis.

This review aims to assess if the hiring goals are attained for the year and to update further

objectives.

KPC shall ensure that sufficient budget is provided for hiring ICT specialist.

10.2.3 Maintaining Existing Competences

In order to maintain and achieve the objectives of this strategic plan, only a hiring plan is not

sufficient. KPC shall maintain and re‐enforce the competences, and shall also establish

training programs for the existing ICT staff. These programs focus on the existing (or future)

technologies used by KPC, on the methodologies (e.g., ITIL, Scrum…), on the business and

legal aspects required for a reasoned implementation, and on additional soft skills that could

be required. Preferably, those programs shall be accompanied by a certification, in order to

demonstrate the value of the learning. Attendance to these trainings shall be defined as a

professional objective for each team member; possibly together with incentives.

The training programs shall be established on a yearly basis for the whole staff; by defining

the nature of the training, certifications according to the needs of the ICT staff members. The

annual review of this plan will allow to evaluate if the training objectives are attained and to

update the goals for the next years.


Page 65

10.2.4 Outsourcing of Resources

Hiring and training are to be considered as quite long‐term objectives – but limited to the

period of this strategic plan. Meanwhile, until the ICT staff does not include all the required

resources, the implementation of CMIS or other projects will be partially outsourced.

ʺPartiallyʺ means that critical resources mean to be insourced, while specialized technical

competencies may be momentary outsourced to private companies to develop, maintain and

operate the KPC ICT environment.

However, to avoid the pitfalls of an uncontrolled outsourcing, the awarded company for the

development of CMIS (or other companies for other applications) shall include in his

proposal a knowledge transfer activity, toward the existing KPC ICT team. This activity

should include two components:

The organization of an extensive training activity, which will address all the details of the

proposed technical architecture. This training shall be given to the existing KPC ICT staff

involved in the development of CMIS.

The organization of a ʺmixed‐teamʺ during the implementation project. Here, the KPC

ICT resources will work together with the external companyʹs team; in order to

effectively involve these resources in the development of CMIS (or other applications).

To this end, the selected provider shall provide KPC with a detailed project organization

scheme, including a clear description of the shared responsibilities for the production of

the project deliverables.

By doing so, KPC will have the guarantee to become the ʺfull ownerʺ of the solution that will

be developed.

10.2.5 Organization of the Support Team

Considering the scope of CMIS, the end‐users will be fully dependent on an effectively

functioning ICT environment. Therefore, the organization of a dedicated Support Team is

necessary to guarantee a sufficient level of permanent ICT support at the level of the

prosecutorʹs offices.

This team shall deliver the services such as described in ʺStrategic Key Area 8 ‐ Support and

Maintenanceʺ; mainly:

Service support, and

Service delivery.

These services shall be organized trough a ʺ3‐levelsʺ organization:

Level 1: is performed by the Regional Support Officers, present in the different

prosecutorʹs offices, under the leading of a Support Officer. The Regional Support

Officers are the single point of contact for the collection and first analysis of incidents (or

problems, or questions) reported by the end‐users. Eventually, a central help desk for the

end‐users advanced support needs will be established at KPC level. If the required


Page 66

service cannot be delivered by the Regional Support Officers; it is reported to the second

level.

Level 2 is composed by the KPC ICT profiles either member of the Infrastructure Unit, or

the Software Unit. They proceed with the analysis of the reported issue; possibly in

collaboration with other KPC officers. If the required service cannot be delivered by the

second line of support, it is reported to the third level.

Level 3 is generally outside the KPC organization; and provided by third‐parties, such as

the software editors (for problems related to the commercial software used by the KPC),

or the external companies involved in the development of the application.

The Support Team shall be placed under the supervision of a ʺService Delivery Managerʺ,

who is the primary responsible for ensuring the smooth running of the KPCʹs ICT systems,

ensuring the end‐users get maximum benefits from them. He also has to establish policies in

order to reach the targets defined in the service level agreement; he monitors the Support

Team members and evaluates the end‐users feedback to develop quality improvement

processes.

10.2.6 End-Users Training: Training Officers

Training officers are responsible for identifying end‐users training needs, and for planning,

organizing and overseeing adequate training for everyday and undisrupted usage of KPC’s

systems. KPC will take the required measures making the training mandatory for all users in

need of it. If felt necessary, adequate measures should be taken in order to overcome

unexpected resistance (through change management or more coercive actions).

Training shall cover various aspects:

Basic ICT training for end‐users (prosecutors and support staff).

Use of the applications put at the disposal of end‐users: CMIS, collaboration tools…

Security education and awareness.

The organization of these training activities shall be detailed in a multi‐year training plan;

which is regularly reviewed in order to evaluate if the training objectives are attained and to

update the goals for the next years.

10.3 Benefits The required variety of skills and profiles available for the implementation, maintenance

and support of CMIS and future applications.

Reduced dependency vis‐à‐vis external providers.

A controlled management of the future needs, thanks to the establishment of hiring and

training plans.


Page 67

11. Strategic Key Area 10 - Process Change Management

11.1 Current Position One of the main obstacles to the adoption of new ICT systems is the lack of knowledge on

the information technology topics by the users.

KPC has already undertaken significant efforts in terms of training to assist prosecutors,

prosecutorsʹ offices and administrative units in the introduction of new ICT tools. These

efforts are fostered by the highest level of the hierarchy.

KPC perfectly understands that the deployment of new ICT tools affects directly the day‐to‐

day activities of its officers, and must therefore be monitored and supervised in order to

facilitate change management and to guarantee the support of the majority. User training is a

crucial condition for success of this type of deployment.

To be fully effective, these training efforts should be supplemented through a broader

change management policy. KPC shall also foresee wider communication and information

channels, adapted to the need of support and coaching – as well as specific activities linked

to the implementation of these changes.

11.2 Rationale When introducing a new system, a new application…, change management aims to create a

climate of understanding, participation and enthusiasm from all those are impacted in their

daily work by this change. It is a key factor in the success and effectiveness of the

introduction of a change – as the deployment of a new IT system.

Various methods are possible to achieve this goal, in that regard KPC will refer to the

ADKAR model. This model has been formalized by Prosci, based on psychological studies

on individual behaviour in relation to the change.

Briefly, this model considers that for an individual to actually adopt a change, it must go

through five phases, namely:

Awareness: this phase aims to make the concerned users aware of the changes that will

happen.

Desire: this change process aims to create a positive attitude towards the change and to

appease the concerns.

Knowledge: this phase of the change process aims to create an understanding about the

impact of the new way of working.

Ability: this phase of the change process intends to facilitate the rapid and effective

adoption of the new system

Reinforcement: It is not only a phase, but a complete process to set up in order to

strengthen the individuals in their new way of working, to sustain the change and to

help to grow thanks to feedback.


Page 68

The following picture depicts the appropriate accompanying activities for each of these

phases:

Fig. 7: Accompanying activities for the five phases of change management

Obviously, the communication is the leitmotiv through all the phases of change. KPC shall

establish a communication plan with the project managers, an appointed communication

team and the management. This communication plan is made of 7 steps, as depicted in the

figure below:

Fig. 8: A 7‐steps communication strategy

The goal of these steps is to define, for each ADKAR phase:

1. The communication objectives.

2. The target groups to be addressed.

3. The organizational aspects needed for the performance of the communication plan.

4. The key messages to convey.

5. The communication media to be used (mail, newsletter, seminars, intranet…).


Page 69

6. The communication actions and their timing.

7. The evaluation of communication actions, in order to refine the following additional

actions or to define new ones.

11.3 Benefits Thanks to an effective application of a change management strategy, the KPC staff feels

supported and understands the change process and the underlying vision. Therefore, he

is placed in a better position to be ready to accept the change.

Change management builds commitment to work together and to develop more for the

future.

By creating a communication plan that considers all the individuals and teams involved

in the change, KPC will increase the success rate and the efficiency of any ICT project.

With the right people involved, inefficiencies and waste are reduced, and costly projects

that do not reach their ultimate goals are avoided.


Page 70

Annexes

KPC ICT Strategic Plan - Working Group

Participants Position

Sylë Hoxha Acting Chief State Prosecutor – State Prosecution

Jetish Maloku Chief prosecutor ‐ Basic Prosecution – Gjilan

Shpresa Bakija Chief prosecutor ‐ Basic Prosecution – Gjakovë

Shkëlzen Maliqi General Director – Office of Secretariat Director

Zana Imami Head of registers office – Basic Prosecution Pejë

Nexhat Haziri Head of ICT section KPC

Naser Hasani Head of Statistical Office

Lulzim Sylejmani Prosecutor –Prosecution Appeal – Prishtinë

Valdet Gashi Prosecutor – Basic Prosecution – Prishtinë

Naim Beka Prosecutor – Basic Prosecution – Mitrovicë

Ariana Shajkovci Prosecutor – Basic Prosecution – Prizren

Burim Qerkini Prosecutor – Basic Prosecution – Ferizaj

Ardian Bajoku Manager of General Services Office

Sadri Krasniqi Manager of Human Resources Office

Basri Kastrati Manager of Protection & Assistance to victims Office

Fatmir Rexhepi Head of ICT section KJC

Ilir Hetemi Database Administrator ‐ ICT section KPC

Fidaim Beka Network administrator ‐ ICT section KPC

Agron Osmani IT officer ‐ ICT section KPC

Jean‐Louis Bottiau ICT expert

Bashkim Bitiki ICT expert

KPC ICT SRATEGIC PLAN 2015-2020 - Prokurori i · PDF fileKosovo Prosecutorial Council ICT...

Documents

Transcript of KPC ICT SRATEGIC PLAN 2015-2020 - Prokurori i · PDF fileKosovo Prosecutorial Council ICT...