Description
Information technology (IT) is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data,[1] often in the context of a business or other enterprise.
Information Technology Procurement, Management and Operations Preliminary Report Professor J. Clark Kelso Interim Director Department of Information Technology July 1, 2002
Introduction On May 31, 2002, Executive Order D-57-02 directed me to “develop a proposal for the procurement, management and operation of the State’s information technology systems,” with a preliminary report due by July 1, 2002. This document constitutes my preliminary report. In Part I, I propose specific steps that I recommend for immediate implementation to ensure appropriate oversight of ongoing information technology projects (many of which are statutorily mandated and cannot be stopped in place) and to clarify roles and responsibilities over information technology projects and procurements in light of the Department of Information Technology’s sunset on July 1, 2002. These recommendations have been drafted in anticipation of the possibility that DOIT will sunset without any further statutory action being taken to continue any of DOIT’s functions in some other form. Particularly in light of the possibility that the budget might not be final as of July 1, it seemed prudent to make recommendations that reflect the legal reality that, as of July 1, there would be no statutory authorization for DOIT or its statutorily authorized functions. However, it should be noted that the Senate’s version of the budget now appropriates $2 million to the Department of Finance for information technology oversight and security, and if that amount remains, there will be some additional steps we can take when the budget is final. In Part II, I present my preliminary recommendations for a permanent IT governance and leadership structure. These recommendations have been developed in a very compressed time frame, and while I have consulted with a variety of experts in and out of government and have read dozens of reports, the complexity of the subject matter suggests the need for caution before acting too quickly upon any one person’s judgment. Accordingly, I do not believe my preliminary recommendations are ripe for immediate implementation or even formal legislative consideration. Instead, these recommendations simply reflect my current best thinking on the subject with the clear appreciation that many of the issues covered are open to further debate, analysis and discussion. Part I. Recommendations for Immediate Implementation The Department of Information Technology’s authorizing statute becomes inoperative on July 1, 2002. Its sunset creates confusion over roles and responsibilities during the
1
interim period from July 1 until whenever a new statutory structure is adopted or authorized. Under existing law, each department and agency has responsibility for managing its own information technology projects to ensure they are on course, on time and on budget. DOIT has been performing an oversight role with respect to many of these projects, attempting to ensure through reporting requirements that proper management is in fact taking place. DOIT also has had responsibility for maintaining statewide policies, standards and guidelines regarding information technology operations, project management, and security, and for providing leadership on statewide information technology issues. As a purely legal matter, in the absence of any statutory transfer of DOIT’s functions to another department, DOIT’s sunset suggests that, beginning July 1, there will be no independent department with express and clear statutory responsibility for overseeing the management of information technology projects. As a practical matter, then, each department and agency will have to step up its own oversight activities to reduce the risk of project failure during the interim period. DOIT’s sunset also creates some legal confusion about the enforceability of provisions promulgated by DOIT in the State Administrative Manual and the Statewide Information Management Manual regarding information technology policies, standards and guidelines. This confusion can be substantially reduced by issuance of one or more Department of Finance management memoranda addressing the issue of the enforceability of policies, standards and guidelines that DOIT has promulgated. In order to clarify responsibilities and accountabilities for IT project management, procurement and oversight during the interim period, I recommend that the administration announce an Interim Information Technology Oversight Initiative. This initiative would be established by an Executive Order that: • Directs each agency immediately to assume responsibility for the oversight of the management of ongoing information technology projects and procurements within the agency’s jurisdiction; Directs each agency and department to develop or, if already developed, to reassess, its ethical guidelines as they apply to individuals involved in the procurement, management and operation of information technology systems with the goal of avoiding the appearance, as well as the reality, of impropriety or conflict of interest; Directs each agency to prepare a report to be submitted to the Department of Finance in 30 days describing what concrete steps the agency can take during the interim period to increase the agency’s oversight of major information technology projects and procurements within the agency to ensure that such projects stay on
•
•
2
course, on time and on budget, and to identify any impediments in accomplishing that increase in oversight; • Directs each department and agency to modify, if necessary, its internal reporting relationships so that the chief information officer and chief information security officer reports directly to their department director or agency secretary; Directs the Department of Finance, pursuant to its “general powers of supervision over all matters concerning the financial and business policies of the State” (Gov’t Code Section 13070), to issue one or more management memoranda providing for continuity and clarity with respect to existing policies, standards and guidelines regarding information technology operations and security, and with respect to roles and responsibilities in information technology project approval, procurement and oversight; and, Provides that, effective July 1, 2002, the Department of Finance shall become the successor to and custodian for all records and papers held for the benefit or use of the Department of Information Technology in the performance of its statutory duties, powers, purposes and responsibilities. Part II. Preliminary Recommendations for Long-Term IT Governance The Executive Order identified the following principles to be used as guides in formulating my long-term proposal for information technology procurement, management and operation: • • • • • • A clear assignment of responsibility for the procurement, management and operation of the State’s information technology systems; Clear accountability for the procurement, management and operation of the State’s information technology systems; Full and fair opportunity for appropriate public input into decisions related to these matters; Full and fair opportunity for competition among vendors of information technology systems; Clear ethical standards for those individuals who procure, manage and operate the State’s information technology products and services; An appropriate needs assessment and fiscal analysis prior to the procurement of new information technology systems; and,
•
•
3
•
A commitment to obtaining quality systems that meet the needs of the State at the lowest possible price.
To gather a wide range of perspectives on the issues of information technology leadership, governance and oversight, and consistent with the direction given in the Executive Order, I convened six key stakeholder focus groups during June 2002 to request input on how best to reorganize the procurement, management and operation of California's information technology systems. The sessions, facilitated by an organizational and public policy specialist, targeted state agency personnel and external technology professionals. Each focus group session was composed of a single peer group. Internal groups ranged from Agency Information Officers to working level information technology staff. External groups included the private sector, local government and former state executives now working in other venues. In addition, I consulted frequently with the directors of the major data centers, as directed in the Executive Order, and with several legislators and legislative staff. I also met with a number of private sector information technology experts, and convened a special conference call of other state CIO’s recognized for their leadership in information technology. Finally, I reviewed a substantial number of reports and analyses, including several reports by the State Auditor and the Little Hoover Commission, all of DOIT’s annual reports, and reports of best practices from other states. Based on my analyses to date, I have the following preliminary recommendations to establish a clearer chain of command for information technology policy development, project initiation and implementation, and procurement, with the overall goals of obtaining quality information technology systems that fulfill documented State needs at the lowest possible price using a competitive process that has both the appearance and reality of fairness and ethics. I incorporate in my proposed chain of command and processes a number of critical points where public input can be secured and where public accountability can be imposed. My preliminary recommendations are as follows: Governance Structure • The State should establish a Government Technology Oversight Board to be chaired by a Chief Technology Executive Officer for the State. The Board would be responsible and accountable for developing and maintaining statewide information technology regulations, policies, plans, standards, and guidelines for information technology projects, security, operations, projects, and, to a limited extent as discussed below, procurement, but excluding budget and initial project approval decisions (for which the Department of Finance will be responsible and accountable). The exact size and composition of the Board needs further study and discussion. There are many models for size and composition from other States and from analogous boards within California. The State should establish an Office of Government Technology, to be led by the Chief Technology Executive Officer. The Office of Government Technology
•
4
would be responsible and accountable for staffing the Government Technology Oversight Board and assisting the Board in fulfilling its duties. • As a matter of general policy, information technology projects and procurements should be initiated and continued only if they clearly serve the business and information technology needs of State departments and/or clearly improve public access to government. Business and information technology needs and public access should be the drivers of information technology initiatives. The State should clarify the assignment of responsibility and accountability over information technology planning, project approval, procurement oversight, project oversight, and post-implementation project evaluation as follows: Information Technology Planning
•
• The Government Technology Oversight Board would be responsible for
creating a statewide strategic plan and vision for the State’s information technology development and for setting and maintaining statewide regulations, policies, standards and guidelines for information technology projects, security, procurement and operations. These regulations, policies, standards and guidelines, supplemented by any other statutory or regulatory requirements, should ensure completion of a needs assessment and fiscal analysis of every information technology project or procurement as part of the approval process, full and fair competition between vendors so that the State receives the highest quality at the lowest possible price, and observance of stringent ethical standards applicable to those who procure, manage and operate the State’s information technology products and services. The process for developing the strategic plan and any regulations, policies, standards and guidelines must include a full and fair opportunity for public input.
• Each department would be responsible for creating its own strategic plan
and vision for information technology development and for developing department-specific ethical standards for department personnel involved in information technology procurement, management and operations. Department plans, which necessarily focus primarily upon the department’s own business and information technology needs, must be consistent with the statewide strategic plan. Each department would be accountable to the Government Technology Oversight Board for developing these plans and standards, and department strategic plans and ethical standards would be submitted to the Board for review and approval or rejection at public meetings, subject to the budget process.
5
Project Approval Process
• Departments and agencies would be responsible for initiating information
technology projects consistent with both statewide and department strategic plans. The Office of Government Technology would provide technical assistance, as needed, in the planning stages of major IT projects.
• The Department of Finance would have the sole responsibility and
accountability for reviewing and approving or rejecting proposed information technology projects. The Department of Finance would determine a project’s consistency with the statewide and department strategic plans, and statewide regulations, policies, standards and guidelines, evaluate the business case and ensure an appropriate needs assessment and fiscal analysis has been performed, and determine if the project is a sound investment of State funds. In conducting this evaluation, the Department of Finance may consult with the Office of Government Technology for technical advice (but would not be required to do so) and may refer a project proposal to the Government Technology Oversight Board for its review and advice (with the final decision remaining with the Department of Finance). Procurement Oversight
• The Department of General Services would be responsible and
accountable for conducting information technology procurements, except for those procurements which, by statute or regulation, a department can enter into without involving the Department of General Services. The Department of General Services would have the responsibility and accountability for ensuring a full and fair opportunity for competition among vendors, for the observance of ethical standards by those individuals involved in the procurement, and for obtaining quality systems at the lowest possible price.
• In those cases when a department has authority to enter into an
information technology procurement without the involvement of the Department of General Services, the department has the responsibility and accountability for conducting the procurement and for ensuring a full and fair opportunity for competition among vendors, for the observance of ethical standards by those individuals involved in the procurement, and for obtaining quality systems at the lowest possible price.
• Information technology procurements would be brought before the
Government Technology Oversight Board for review and approval or rejection at an appropriate time as determined by the Board to guarantee a full and fair opportunity for public input consistent with the need to ensure
6
fair competition among vendors and to obtain quality systems at the lowest possible price. In deciding whether to approve or reject a procurement, the Board would be responsible and accountable for ensuring that the procurement documents are consistent with applicable information technology regulations, policies, standards and guidelines, is aligned with the department’s business or information technology needs, and will obtain quality systems at the lowest possible price. Oversight of IT Projects
• Each department has responsibility for managing and implementing its
own information technology projects, and is accountable to the Government Technology Oversight Board for management and implementation.
• The Office of Government Technology would have responsibility and
accountability for oversight of a department’s management and implementation of major information technology projects, including providing technical assistance as necessary, and for bringing projects that are getting off track, behind schedule or over budget to the attention of the Government Technology Oversight Board for discussion at a public hearing and for possible remedial actions, subject to the budget process. Evaluation of IT Projects
• When an information technology project has concluded, the department is
responsible for preparing a post-implementation evaluation report to assess the extent to which the project fulfilled the original needs assessment by the department, was consistent with the fiscal analysis, and obtained quality systems at the lowest possible price after a full and fair opportunity for competition among vendors. The report should also include an explanation of any ethical issues that arose in the initiation, procurement or implementation of the project. The department is accountable to the Government Technology Oversight Board for its preparation of a post-implementation evaluation report.
• The Government Technology Oversight Board has responsibility and
accountability for considering post-implementation evaluation reports and approving or rejecting such reports at a hearing at which there is a full and fair opportunity for appropriate public input.
7
doc_221849796.pdf
Information technology (IT) is the application of computers and telecommunications equipment to store, retrieve, transmit and manipulate data,[1] often in the context of a business or other enterprise.
Information Technology Procurement, Management and Operations Preliminary Report Professor J. Clark Kelso Interim Director Department of Information Technology July 1, 2002
Introduction On May 31, 2002, Executive Order D-57-02 directed me to “develop a proposal for the procurement, management and operation of the State’s information technology systems,” with a preliminary report due by July 1, 2002. This document constitutes my preliminary report. In Part I, I propose specific steps that I recommend for immediate implementation to ensure appropriate oversight of ongoing information technology projects (many of which are statutorily mandated and cannot be stopped in place) and to clarify roles and responsibilities over information technology projects and procurements in light of the Department of Information Technology’s sunset on July 1, 2002. These recommendations have been drafted in anticipation of the possibility that DOIT will sunset without any further statutory action being taken to continue any of DOIT’s functions in some other form. Particularly in light of the possibility that the budget might not be final as of July 1, it seemed prudent to make recommendations that reflect the legal reality that, as of July 1, there would be no statutory authorization for DOIT or its statutorily authorized functions. However, it should be noted that the Senate’s version of the budget now appropriates $2 million to the Department of Finance for information technology oversight and security, and if that amount remains, there will be some additional steps we can take when the budget is final. In Part II, I present my preliminary recommendations for a permanent IT governance and leadership structure. These recommendations have been developed in a very compressed time frame, and while I have consulted with a variety of experts in and out of government and have read dozens of reports, the complexity of the subject matter suggests the need for caution before acting too quickly upon any one person’s judgment. Accordingly, I do not believe my preliminary recommendations are ripe for immediate implementation or even formal legislative consideration. Instead, these recommendations simply reflect my current best thinking on the subject with the clear appreciation that many of the issues covered are open to further debate, analysis and discussion. Part I. Recommendations for Immediate Implementation The Department of Information Technology’s authorizing statute becomes inoperative on July 1, 2002. Its sunset creates confusion over roles and responsibilities during the
1
interim period from July 1 until whenever a new statutory structure is adopted or authorized. Under existing law, each department and agency has responsibility for managing its own information technology projects to ensure they are on course, on time and on budget. DOIT has been performing an oversight role with respect to many of these projects, attempting to ensure through reporting requirements that proper management is in fact taking place. DOIT also has had responsibility for maintaining statewide policies, standards and guidelines regarding information technology operations, project management, and security, and for providing leadership on statewide information technology issues. As a purely legal matter, in the absence of any statutory transfer of DOIT’s functions to another department, DOIT’s sunset suggests that, beginning July 1, there will be no independent department with express and clear statutory responsibility for overseeing the management of information technology projects. As a practical matter, then, each department and agency will have to step up its own oversight activities to reduce the risk of project failure during the interim period. DOIT’s sunset also creates some legal confusion about the enforceability of provisions promulgated by DOIT in the State Administrative Manual and the Statewide Information Management Manual regarding information technology policies, standards and guidelines. This confusion can be substantially reduced by issuance of one or more Department of Finance management memoranda addressing the issue of the enforceability of policies, standards and guidelines that DOIT has promulgated. In order to clarify responsibilities and accountabilities for IT project management, procurement and oversight during the interim period, I recommend that the administration announce an Interim Information Technology Oversight Initiative. This initiative would be established by an Executive Order that: • Directs each agency immediately to assume responsibility for the oversight of the management of ongoing information technology projects and procurements within the agency’s jurisdiction; Directs each agency and department to develop or, if already developed, to reassess, its ethical guidelines as they apply to individuals involved in the procurement, management and operation of information technology systems with the goal of avoiding the appearance, as well as the reality, of impropriety or conflict of interest; Directs each agency to prepare a report to be submitted to the Department of Finance in 30 days describing what concrete steps the agency can take during the interim period to increase the agency’s oversight of major information technology projects and procurements within the agency to ensure that such projects stay on
•
•
2
course, on time and on budget, and to identify any impediments in accomplishing that increase in oversight; • Directs each department and agency to modify, if necessary, its internal reporting relationships so that the chief information officer and chief information security officer reports directly to their department director or agency secretary; Directs the Department of Finance, pursuant to its “general powers of supervision over all matters concerning the financial and business policies of the State” (Gov’t Code Section 13070), to issue one or more management memoranda providing for continuity and clarity with respect to existing policies, standards and guidelines regarding information technology operations and security, and with respect to roles and responsibilities in information technology project approval, procurement and oversight; and, Provides that, effective July 1, 2002, the Department of Finance shall become the successor to and custodian for all records and papers held for the benefit or use of the Department of Information Technology in the performance of its statutory duties, powers, purposes and responsibilities. Part II. Preliminary Recommendations for Long-Term IT Governance The Executive Order identified the following principles to be used as guides in formulating my long-term proposal for information technology procurement, management and operation: • • • • • • A clear assignment of responsibility for the procurement, management and operation of the State’s information technology systems; Clear accountability for the procurement, management and operation of the State’s information technology systems; Full and fair opportunity for appropriate public input into decisions related to these matters; Full and fair opportunity for competition among vendors of information technology systems; Clear ethical standards for those individuals who procure, manage and operate the State’s information technology products and services; An appropriate needs assessment and fiscal analysis prior to the procurement of new information technology systems; and,
•
•
3
•
A commitment to obtaining quality systems that meet the needs of the State at the lowest possible price.
To gather a wide range of perspectives on the issues of information technology leadership, governance and oversight, and consistent with the direction given in the Executive Order, I convened six key stakeholder focus groups during June 2002 to request input on how best to reorganize the procurement, management and operation of California's information technology systems. The sessions, facilitated by an organizational and public policy specialist, targeted state agency personnel and external technology professionals. Each focus group session was composed of a single peer group. Internal groups ranged from Agency Information Officers to working level information technology staff. External groups included the private sector, local government and former state executives now working in other venues. In addition, I consulted frequently with the directors of the major data centers, as directed in the Executive Order, and with several legislators and legislative staff. I also met with a number of private sector information technology experts, and convened a special conference call of other state CIO’s recognized for their leadership in information technology. Finally, I reviewed a substantial number of reports and analyses, including several reports by the State Auditor and the Little Hoover Commission, all of DOIT’s annual reports, and reports of best practices from other states. Based on my analyses to date, I have the following preliminary recommendations to establish a clearer chain of command for information technology policy development, project initiation and implementation, and procurement, with the overall goals of obtaining quality information technology systems that fulfill documented State needs at the lowest possible price using a competitive process that has both the appearance and reality of fairness and ethics. I incorporate in my proposed chain of command and processes a number of critical points where public input can be secured and where public accountability can be imposed. My preliminary recommendations are as follows: Governance Structure • The State should establish a Government Technology Oversight Board to be chaired by a Chief Technology Executive Officer for the State. The Board would be responsible and accountable for developing and maintaining statewide information technology regulations, policies, plans, standards, and guidelines for information technology projects, security, operations, projects, and, to a limited extent as discussed below, procurement, but excluding budget and initial project approval decisions (for which the Department of Finance will be responsible and accountable). The exact size and composition of the Board needs further study and discussion. There are many models for size and composition from other States and from analogous boards within California. The State should establish an Office of Government Technology, to be led by the Chief Technology Executive Officer. The Office of Government Technology
•
4
would be responsible and accountable for staffing the Government Technology Oversight Board and assisting the Board in fulfilling its duties. • As a matter of general policy, information technology projects and procurements should be initiated and continued only if they clearly serve the business and information technology needs of State departments and/or clearly improve public access to government. Business and information technology needs and public access should be the drivers of information technology initiatives. The State should clarify the assignment of responsibility and accountability over information technology planning, project approval, procurement oversight, project oversight, and post-implementation project evaluation as follows: Information Technology Planning
•
• The Government Technology Oversight Board would be responsible for
creating a statewide strategic plan and vision for the State’s information technology development and for setting and maintaining statewide regulations, policies, standards and guidelines for information technology projects, security, procurement and operations. These regulations, policies, standards and guidelines, supplemented by any other statutory or regulatory requirements, should ensure completion of a needs assessment and fiscal analysis of every information technology project or procurement as part of the approval process, full and fair competition between vendors so that the State receives the highest quality at the lowest possible price, and observance of stringent ethical standards applicable to those who procure, manage and operate the State’s information technology products and services. The process for developing the strategic plan and any regulations, policies, standards and guidelines must include a full and fair opportunity for public input.
• Each department would be responsible for creating its own strategic plan
and vision for information technology development and for developing department-specific ethical standards for department personnel involved in information technology procurement, management and operations. Department plans, which necessarily focus primarily upon the department’s own business and information technology needs, must be consistent with the statewide strategic plan. Each department would be accountable to the Government Technology Oversight Board for developing these plans and standards, and department strategic plans and ethical standards would be submitted to the Board for review and approval or rejection at public meetings, subject to the budget process.
5
Project Approval Process
• Departments and agencies would be responsible for initiating information
technology projects consistent with both statewide and department strategic plans. The Office of Government Technology would provide technical assistance, as needed, in the planning stages of major IT projects.
• The Department of Finance would have the sole responsibility and
accountability for reviewing and approving or rejecting proposed information technology projects. The Department of Finance would determine a project’s consistency with the statewide and department strategic plans, and statewide regulations, policies, standards and guidelines, evaluate the business case and ensure an appropriate needs assessment and fiscal analysis has been performed, and determine if the project is a sound investment of State funds. In conducting this evaluation, the Department of Finance may consult with the Office of Government Technology for technical advice (but would not be required to do so) and may refer a project proposal to the Government Technology Oversight Board for its review and advice (with the final decision remaining with the Department of Finance). Procurement Oversight
• The Department of General Services would be responsible and
accountable for conducting information technology procurements, except for those procurements which, by statute or regulation, a department can enter into without involving the Department of General Services. The Department of General Services would have the responsibility and accountability for ensuring a full and fair opportunity for competition among vendors, for the observance of ethical standards by those individuals involved in the procurement, and for obtaining quality systems at the lowest possible price.
• In those cases when a department has authority to enter into an
information technology procurement without the involvement of the Department of General Services, the department has the responsibility and accountability for conducting the procurement and for ensuring a full and fair opportunity for competition among vendors, for the observance of ethical standards by those individuals involved in the procurement, and for obtaining quality systems at the lowest possible price.
• Information technology procurements would be brought before the
Government Technology Oversight Board for review and approval or rejection at an appropriate time as determined by the Board to guarantee a full and fair opportunity for public input consistent with the need to ensure
6
fair competition among vendors and to obtain quality systems at the lowest possible price. In deciding whether to approve or reject a procurement, the Board would be responsible and accountable for ensuring that the procurement documents are consistent with applicable information technology regulations, policies, standards and guidelines, is aligned with the department’s business or information technology needs, and will obtain quality systems at the lowest possible price. Oversight of IT Projects
• Each department has responsibility for managing and implementing its
own information technology projects, and is accountable to the Government Technology Oversight Board for management and implementation.
• The Office of Government Technology would have responsibility and
accountability for oversight of a department’s management and implementation of major information technology projects, including providing technical assistance as necessary, and for bringing projects that are getting off track, behind schedule or over budget to the attention of the Government Technology Oversight Board for discussion at a public hearing and for possible remedial actions, subject to the budget process. Evaluation of IT Projects
• When an information technology project has concluded, the department is
responsible for preparing a post-implementation evaluation report to assess the extent to which the project fulfilled the original needs assessment by the department, was consistent with the fiscal analysis, and obtained quality systems at the lowest possible price after a full and fair opportunity for competition among vendors. The report should also include an explanation of any ethical issues that arose in the initiation, procurement or implementation of the project. The department is accountable to the Government Technology Oversight Board for its preparation of a post-implementation evaluation report.
• The Government Technology Oversight Board has responsibility and
accountability for considering post-implementation evaluation reports and approving or rejecting such reports at a hearing at which there is a full and fair opportunity for appropriate public input.
7
doc_221849796.pdf