Best Practices and Leading Practices in Information Technology Management
GAO has identified a set of essential and complementary management disciplines that provide a sound foundation for information technology (IT) management. These include: IT strategic planning, Enterprise architecture, IT investment management and Information Security.
IT strategic planning
Advances in technology are changing the way agencies do business. Two laws, the Paperwork Reduction Act of 1995 and the Clinger-Cohen Act of 1996, establish a framework to help agencies more effectively manage IT through strategic planning.
An agency should:
- Document its IT strategic planning process, including, at a minimum, (1) the responsibilities and accountability for IT resources across the agency; and (2) the method by which the agency defines program information needs and develops strategies, systems, and capabilities to meet those needs.
- Document its process to integrate IT management operations and decisions with organizational planning, budget, financial management, human resources management, and program decisions.
- Require that information security management processes be integrated with strategic and operational planning processes.
- Institute a process to account for all IT-related expenses and results.
- Prepare an enterprisewide strategic information resources management plan. At a minimum, an information resources management plan should (1) describe how IT activities will be used to help accomplish agency missions and operations, including related resources; and (2) identify a major IT acquisition program(s) or any phase or increment of that program that has significantly deviated from cost, performance, or schedule goals established for the program.
- Ensure its performance plan required under the Government Performance and Results Act of 1993 (GPRA), as amended by the GPRA Modernization Act of 2010 (1) describes how IT supports strategic and program goals; (2) identifies the resources and time periods required to implement the information security program plan required by FISMA; and (3) describes major IT acquisitions contained in the capital asset plan that will bear significantly on the achievement of a performance goal.
- Have a documented process to (1) develop IT goals in support of agency needs; (2) measure progress against these goals; and (3) assign roles and responsibilities for achieving these goals.
- Establish goals that, at a minimum, address how IT contributes to (1) program productivity, (2) efficiency, (3) effectiveness, and (4) service delivery to the public (if applicable).
- Establish IT performance measures to monitor actual-versus-expected performance. Measures should align with the GPRA performance plan.
- In an annual report, to be included in the budget submission, describe progress in using IT to improve the efficiency and effectiveness of agency operations and, as appropriate, deliver services to the public.
- Benchmark IT management processes against appropriate public and private sector organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes.
An enterprise architecture (EA) is an integral part of the IT investment management process. An EA provides a clear and comprehensive picture of the structure of an entity. This picture consists of snapshots of its current and proposed technical environments, and a roadmap for transitioning from the current to the target environment. When properly managed, an EA can help optimize the relationships among an organization's business operations and the IT infrastructure and applications supporting them.
Agencies should complete steps in five stages:
- Stage 1: Create EA Awareness
- Raise awareness about the value of an EA.
- Stage 2: Build a foundation for managing EA
- Commit the necessary resources, including people, processes and tools.
- Select a framework or methodology as the basis for developing EA products and select a tool for managing EA activities.
- Stage 3: Develop the EA
- Develop EA products according to the selected framework, methodology, tools, and established management plans. Products should describe the organization in terms of business, performance, information, service, and technology. Terms should be described âas-isâ and âto-be.â
- Track and measure progress against plans, identifying and addressing variances, as appropriate, and report on progress.
- Stage 4: Complete the EA
- Obtain approval for the completed EA product from the EA steering committee and the head of the organization.
- Have an independent agent (e.g., Inspector General) assess the quality (i.e. completeness and accuracy) of the EA products.
- Stage 5: Leverage the EA to manage change
- Write and approve an organization policy for IT investment compliance with EA.
- Institute a process to formally manage EA change, and periodically update EA products.
- Ensure that IT investments comply with EA.
- Measure and report return on EA investments.
- Measure and report compliance with EA.
IT investment management
IT projects can significantly improve an organization's performance, but they can also become costly, risky, and unproductive. Agencies can maximize the value of IT investments and minimize the risks of IT acquisitions when they have an effective and efficient IT investment management process, as described in GAO's guide to effective IT investment management.
- Stage 1: Create awareness
- Raise awareness about the importance of a disciplined investment management processes.
- Stage 2: Build the foundation
- Create an investment review board, and define its membership, guiding policies, operations, roles, responsibilities, and authorities.
- For each project, develop a business case that identifies the key executive sponsor, business customers (or end users), and the business needs that the IT project will support.
- Introduce a defined process that the organization can use to select new IT proposals and reselect ongoing projects.
- Monitor projects against cost and schedule expectations as well as anticipated benefits and risks.
- Stage 3: Develop a complete investment portfolio
- Define criteria for determining which investments to include in the investment portfolio. Criteria could include quantitative or qualitative factors such as cost, benefit, schedule, and risk.
- Use the criteria to select investments for the portfolio.
- Evaluate the portfolio by adding the element of portfolio performance to the organization's control process activities.
- Review IT projects by comparing actual results to estimates in order to learn from past investments and initiatives.
- Stage 4: Improve the process
- Evaluate the performance of the portfolio to improve both current IT investment management processes and the future performance of the IT portfolio.
- Analyze and manage the replacement of IT investments and assets with their higher-value successors.
- Stage 5: Leverage IT for strategic outcomes
- Optimize the investment management process exploit IT decision making to improve the value of an IT investment management process.
- Learn about and implement other organizations' best practices for IT investment.
- Use IT to renovate and transform work processes and to push the organization to explore new and better ways to execute its mission.
Federal agencies rely extensively on IT systems and electronic data to carry out their missions. Effective security for these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. The Federal Information Security Management Act (FISMA) of 2002 helps ensure agencies have adequate security safeguards.
- Periodically assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of their information and information systems.
- Develop risk-based policies and procedures that cost-effectively reduce information security risks throughout the life cycle of each information system in their information security programs.
- Develop subordinate system security plans for providing adequate security for networks, facilities, and systems or groups of information systems (as appropriate).
- Provide appropriate security awareness training to personnel, including contractors and other users of information systems that support the operations and assets of the agency.
- Test and evaluate the effectiveness of information security policies, procedures, and practices with a risk-based frequency, but no less than annually.
- Create a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in information security policies, procedures, and practices.
- Have procedures for detecting, reporting, and responding to security incidents; mitigating risks associated with such incidents before substantial damage is done; and notifying and consulting with the information security incident center and other entities, as appropriate, including law enforcement agencies and other relevant officials.
- Have plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. Test plans to ensure they work.
- Develop, maintain, and annually update an inventory of major information systems.