Chapter 4 – Information Technology

The Department has established policy regarding project reporting and evaluation for each approved information technology project, in accordance with the requirements of SAMState Administrative Manual 4940 of the. All operating units within CDC shall adhere to the requirements set forth in the current section concerning project review, reporting, and evaluation. Additional requirements may be specified by the Office of Information Technology (OITOffice of Information Technology) in response to the Department’s IMAPInformation Management Annual Plan or in response to other needs reported by the Department (agency requirements are provided in SAMState Administrative Manual 4819.3 through 4819.39).

The purpose of this policy is to ensure that State and CDC project review requirements are implemented on an ongoing basis.

Once the FSRFeasibility Study Reports for an information technology project has been approved by the MISManagement Information Systems Committee (also by OITOffice of Information Technology for non-delegated projects or the DGSDepartment of General Services for projects involving communications), the design, acquisition, development, and implementation phases of the project may proceed.

The success of each phase of the project shall be evaluated and reported in terms of the project objectives. Included are project reports, a formal management review, and a post-implementation assessment. (SAMState Administrative Manual 4944 through 4946.2 provide a framework for project monitoring and evaluation.)

Two information technology project reports are specified, the Quarterly Project Report (QPR) and the Special Project Report (SPRSpecial Project Reports). These reports:

• Support continuing communication among all project participants (project management, program management and executive management).

• Expose potential problems with respect to the availability of resources or the meeting of mandated project dates.

• Provide for CDC management and control agency review of project progress at appropriate intervals throughout the life of the project.

In addition to the QPR and SPRSpecial Project Reports, a major management briefing, known as the Formal Project Review (FPRFormal Project Review) may be initiated by CDC management or required by the OITOffice of Information Technology for any information technology project. The FPRFormal Project Review allows for CDC management or control agency review of large projects after completion of the general design phase, but before substantial resources have been committed to the project. It may also be employed to provide a formal management assessment of a project at any point during the development cycle.

Following completion of each information technology project, CDC shall carry out a post-implementation assessment. The assessment shall:

• Measure the benefits and costs of the newly-implemented information technology application or system against the original objectives.

• Document projected operations and maintenance costs over the life of the application or system.

Every two years the Department shall carry out and submit to the DOFDepartment Of Finance an EDPElectronic Data Processing (see IT) audit. This audit is the responsibility of the Internal Audit Unit of PFABProgram and Fiscal Audits Branch (see OACC) (see DOMDepartment Operations Manual 49040). The audit shall be consistent with the DOFDepartment Of Finance publication, “Information Technology Security and Risk Management Guidelines.” This guide reflects the SAMState Administrative Manual requirements regarding the responsibility and control of EDPElectronic Data Processing (see IT) policy, and provides audit guidelines; however, it may not cover all areas to be audited. The guide and information about it are available through the Internal Audit Unit of PFABProgram and Fiscal Audits Branch (see OACC).

To accomplish this audit it is likely that ITS under development shall be selected for audit on a sample basis. The intent of the audit is to make an assessment of the degree of compliance by CDC with departmental and State policies and procedures. The scope of the audit shall include, but not be limited to, the following:

• Project approvals, feasibility study, and risk analysis (DOMDepartment Operations Manual 49020).

• Operational recovery plan (DOMDepartment Operations Manual 49030).

• Information security practices.

The Project Manager is responsible for ensuring that the project documentation is in compliance with policy.

All IMAPInformation Management Annual Plan “external” and “internal” reporting activities shall be monitored by CDC management through a central control agency/contact with regard to OITOffice of Information Technology reportable projects, OITOffice of Information Technology projects delegated to the Department, and all other Department information technology projects with an approved FSRFeasibility Study Reports, including those requiring a Summary Fact Sheet or Workgroup Computing Justification Form. The ISDInformation Services Division (see EIS), System Support Unit (ISDInformation Services Division (see EIS)-SSUSpecial Services Unit) shall be responsible for the central clearinghouse function. Refer to DOMDepartment Operations Manual 43030.3, User Project Manager, for project reporting responsibilities.

Responsibilities

• The ISDInformation Services Division (see EIS)-SSUSpecial Services Unit central clearinghouse monitors all external and internal quarterly project reports, special project reports, and post-implementation assessments. Project managers shall ensure that appropriate sign-off is attained on all projects before documents are submitted to the central clearinghouse. It is the responsibility of the central clearinghouse to:

  • Develop a cataloging system to monitor the completion and distribution of required reporting per schedule.

  • Notify project managers of scheduled reports prior to the report due date.

  • Review completed reports to ensure adherence to the Staterequired format.

  • Maintain copies of all reports and, in effect, act as a liaison between OITOffice of Information Technology and CDC project management concerning reporting requirements throughout the life cycle of the project.

Summary Information Report

• Since ITS approval and oversight are the responsibility of the MISManagement Information Systems Committee, the central clearinghouse function shall provide summary information on each ITS project to the MISManagement Information Systems Staff Committee at its quarterly meetings. This summary information shall include:

  • The project title.

  • MISManagement Information Systems approval date.

  • Projected completion date.

  • OITOffice of Information Technology delegation status.

  • FSRFeasibility Study Reports status.

  • QPR status.

  • PIERPost Implementation Evaluation Report status.

The central clearinghouse shall also provide the MISManagement Information Systems Committee with a summary project status profile which may be in the form of the project’s most current QPR and, if necessary, SPRSpecial Project Reports.

The Department is subject to compliance reviews conducted by OITOffice of Information Technology, or by specified units within CDC. The purpose of a compliance review is to verify CDC adherence to Department and State information technology policies and procedures.

Types of Compliance Reviews

• ITS within CDC are subject to four types of reviews:

  • Type 1. Policy compliance reviews (SAMState Administrative Manual Section 4942).

  • Type 2. EDPElectronic Data Processing (see IT) audit reviews (see DOMDepartment Operations Manual 49050).

  • Type 3. Information security, risk management, operational recovery compliance reviews (SAMState Administrative Manual Sections 4840 through 4845; DOMDepartment Operations Manual 49000).

  • Type 4. Facility peer reviews.

Policy Compliance Review

• Type 1 – Policy compliance reviews are conducted by OITOffice of Information Technology. Responses to this type of review shall be coordinated by the central clearinghouse function of ISDInformation Services Division (see EIS).

EDPElectronic Data Processing (see IT) Audit Reviews

• Type 2 – EDPElectronic Data Processing (see IT) audit reviews are part of an audit required by SAMState Administrative Manual, and are usually conducted by the Internal Audits Unit of PFABProgram and Fiscal Audits Branch (see OACC). Alternately, it is possible that Type 2 reviews shall be carried out by the Audits Group of DOFDepartment Of Finance, but responsibility for the audit reviews remains with PFABProgram and Fiscal Audits Branch (see OACC). The owner of an information system is responsible for providing responses to audit findings regarding that system.

Security, Risk, and Operational Compliance Reviews

• Type 3 – Information security, risk management, and operational recovery compliance reviews are ongoing and conducted by the Information Security Unit within PFABProgram and Fiscal Audits Branch (see OACC). These reviews are usually not oriented to a specific system or project, and are limited in scope to the policies contained in SAMState Administrative Manual Sections 4840 through 4845, and DOMDepartment Operations Manual Subchapter 49000.

Facility Peer Reviews

• Type 4 – Facility peer reviews are reviews of business services operations conducted by the Department on a rotational basis at each of CDC’s facilities. The EDPElectronic Data Processing (see IT) portion of the peer review includes a functional review of Offender Based Information Services, the DDPSDistributed Data Processing System, and personal computer security practices and system utilization.

• The review teams are composed of business services and administrative staff from headquarters and the facilities.

NonDelegated Projects

• OITOffice of Information Technology reviews project reporting documentation in conjunction with its compliance review and oversight responsibilities.

Delegated Projects

• For delegated projects, the MISManagement Information Systems Committee shall determine when a compliance review is to be conducted, the scope of the review, and who shall perform the review.

The Assistant Secretary, EISEnterprise Information Services (formerly Information Services Division), or designee shall be responsible for ensuring that the contents of this Article are kept current and accurate.

SAMState Administrative Manual §§ 4819.3 to 4819.39, 4840 – 4845, 4940, 4942, and 4944 – 4946.2.

DOMDepartment Operations Manual §§ 49000, 49020, 49030, 49040, 49050, 43030.5.

DOFDepartment Of Finance publication, “Information Technology Security and Risk Management Guidelines.”