Analysis of the 2007-08 Budget Bill: General Government
The Office of the Chief Information Officer (CIO) was created by Chapter 533, Statutes of 2006 (SB 834, Figueroa). The CIO is a member of the Governor’s cabinet and advises the Governor on information technology (IT) issues. In funding the office for the first time, the Governor’s budget proposes 46.5 positions and expenditures of $7.9 million for CIO. These costs would be paid by state departments through the Department of Technology Services’ rate structure. Included in this proposal are 20.9 new personnel-years (PYs) to handle the office’s administrative and policy development work. In addition, the Department of Finance (DOF) Office of Technology Review, Oversight and Security (OTROS) would be transferred out of DOF. The proposal includes transferring: (1) 25.6 OTROS PYs to CIO to continue the review and oversight of IT projects and (2) 3 OTROS PYs to the newly formed Office of Information Security and Protection within the State and Consumer Services Agency (SCSA) to manage the state’s information security program. We discuss the proposal in detail below.
The administration proposes a number of changes to the state’s information technology (IT) governance structure. Our analysis finds that (1) the planning and policy development roles are appropriately placed with the Chief Information Officer (CIO), (2) moving IT project oversight to CIO would eliminate objectivity, and (3) a separate security office may create an unnecessary layer of review. We recommend the Legislature adopt an alternative structure that addresses these concerns.
The state annually makes large IT investments to improve the management and oversight of programs and the quality of its services to the public. These efforts require the involvement of state staff who are program and IT experts, as well as control agencies which are responsible for ensuring that state funds are spent effectively and consistent with state laws and policies. Historically, the state has struggled to complete IT projects on time and on budget. As we have discussed in prior publications, one of the significant contributors to past problems has been the lack of well-defined roles and responsibilities for key entities. While departments have been responsible for developing and implementing individual projects, which entities are responsible for four key statewide roles has been less well-defined.
Strategic Planning. Strategic planning determines where the state’s IT is going over the next few years. It includes establishing a set of goals to be achieved.
Policies and Standards. Policies and standards are developed in order to provide a framework for achieving the strategic goals. These give direction, structure, and consistency to departmental IT projects. While policies are general strategies, standards are more specific in nature.
Project Review, Approval, and Oversight. Proposed IT projects are reviewed by departmental management and control agencies to ensure the projects will meet the programs’ business needs, are cost-effective, and align with the state’s strategic direction. Once approved for implementation, oversight provides independent and objective monitoring to ensure the project stays within its planned scope, schedule, and budget.
Information Security. Information security employs policies, standards, and other tools to protect data from unauthorized access and use.
Although the state has tried a number of IT governance models over the past three decades, none has proven to be an effective, long-term solution. In our view, the failure to establish a coherent and effective IT governance structure continues to place the state at risk of not completing IT projects on time and on budget. In this piece, we first describe the current IT governance structure, then discuss the administration’s proposed changes, and finally recommend an alternative solution.
In 2002, the Legislature allowed the Department of Information Technology (DOIT) to sunset after seven years of struggling to meet its statutory mandates to oversee the state’s IT structure. In its place, the Legislature funded an interim IT governance structure which heavily relies on DOF to perform multiple roles.
Strategic Planning. In 2002, the Governor appointed a CIO to be an advisor on the state’s IT strategic direction. At the cabinet level, it is the CIO’s role to be knowledgeable about IT tools and trends and to work with department executives to develop a plan to support the successful delivery of state IT solutions. In 2004, the CIO first published the California IT Strategic Plan. This plan includes a set of goals for improving the use of IT. Prior to Chapter 533, the CIO was not authorized by state law, and the CIO currently has no formal staff or budget.
Policies and Standards. Since the sunset of DOIT, OTROS has worked within DOF to produce state IT policies and standards. These are published in the State Administrative Manual and the State Information Management Manual. In addition, the Department of General Services has developed a set of policies and standards to guide state IT procurements.
Project Review, Approval, and Oversight. In the current structure, OTROS reviews IT projects for risk and benefit. The OTROS analysts coordinate their reviews with the associated DOF budget analyst so that IT projects are approved for funding within the context of the state budget situation. In poor economic times, DOF has denied funding for new IT projects and delayed projects that were in progress in order to manage costs. For projects that are approved for implementation, OTROS has developed a three-tier oversight process. Projects are categorized by key factors—such as cost and the experience of the project manager—to determine if they are low, medium, or high risk. Low- and medium-risk projects are principally overseen at the departmental and agency levels. Focusing on high-risk projects, OTROS performs independent oversight to see that projects stay within scope, schedule, and cost.
Information Security. Three PYs within OTROS currently manage the state’s information security program. A limited set of security policies have been issued, but DOF largely requires that departments develop their own security policy framework. To date, security has not been a prominent focus for OTROS.
Chapter 533 lays out very broad roles for CIO. In its budget proposal, the administration significantly expands those roles to make CIO the key agency of its proposed IT structure.
Strategic Planning. The CIO has developed and led state IT strategic planning efforts over the past few years, and the administration’s proposal continues this role for CIO.
Policies and Standards. Under the administration’s plan, responsibility for developing IT policies and standards would be transferred from DOF to CIO. The CIO would be charged with aligning these policies and standards with the state strategic plan.
Project Review, Approval, and Oversight. The administration proposes to move IT project review, approval, and oversight from DOF to CIO. Most OTROS staff would be transferred to CIO. Approved projects would then receive ongoing oversight by CIO. The administration reports that it expects project reviews and oversight to continue in a similar manner.
Information Security. The administration proposes to transfer DOF’s three security positions out of the department. The security positions would be combined with the current 8.3 positions in the Office of Privacy Protection in the Department of Consumer Affairs (DCA) to form a new Office of Information Security and Privacy within SCSA. The new office would combine the responsibility for “protecting the state’s information assets” with “developing consumer education programs.”
Planning, Policies, and Standards Makes Sense at CIO. We believe that the administration’s proposal to place responsibility for the state’s IT planning, policy, and standards with CIO makes sense. The CIO’s knowledge of IT industry tools and trends makes this a natural alignment. The CIO role will tend to involve advocacy for those projects which are consistent with these policies and promote the state’s IT strategic plan. We do, however, have concerns with other aspects of the proposal.
Overly Ambitious Plans for CIO. In organizing CIO, the budget proposal lists 15 major goals that will come from its formation—including improving IT procurements, enhancing training of state staff, and reorienting the state’s Web pages. There is no prioritization reflected in the proposal. Particularly in CIO’s early years, we are concerned that such an aggressive agenda will result in reduced effectiveness. In fact, the same problem plagued DOIT during its existence. In a 2003 report, the Bureau of State Audits found that “DOIT attempted to make inroads on many issues, perhaps too many issues, all at once. This scattershot approach did not allow it to garner accomplishments that would engender support and credibility.”
Separating Approval From Funding Creates Risks. The CIO would have no project funding authority, which would remain with DOF’s budget staff. In theory, CIO would turn over an approved project to DOF to be fully funded. In practice, however, this could be a challenging process to manage and would require a high level of coordination and information sharing between DOF and CIO. The proposal provides no plan for coordinating project approval and funding. Departments could end up with a project approved by CIO’s office and still be denied funding by DOF. This is another problem that contributed to DOIT’s failure. At the time, DOIT’s responsibility was to approve project plans based on sound management practices and DOF’s responsibility was to approve project budgets. Yet, DOF often approved projects at funding below the level recommended by DOIT. Eventually, DOIT’s role became diminished because it did not have the financial clout to support its decisions.
Oversight Must Be Independent. As a control agency, DOF performs the role of dispassionate review of state programs and projects. This makes its IT oversight more effective by adding objectivity to the process. We are concerned, however, that CIO’s advocacy for projects will limit its ability to provide an independent perspective on oversight.
Security Proposal Would Add Unnecessary Layer. Information security has not received priority within DOF. Security policies can increase costs, which runs counter to DOF’s core mission of controlling costs. Moving the security program out of DOF, therefore, is a positive step. The administration’s choice in moving IT security to SCSA appears to be an effort to follow industry practices to separate the CIO from security. To the extent that projects will receive security reviews by SCSA under the new structure, however, it would add another cumbersome layer of review in addition to CIO and DOF. It is also unclear how policies issued by CIO would be integrated with security policies issued by SCSA.
Based on the concerns raised above, we recommend that the Legislature amend the administration’s proposed IT governance structure. Our recommendation emphasizes CIO’s role as a strategic office, while maintaining specific project review and approval at DOF. We describe our alternative below.
Strategic Planning, Policies, and Standards. The administration’s proposal to place these responsibilities with CIO makes sense. The CIO would be the state’s IT program expert and should be responsible for its planning and policy development.
Project Review, Approval, and Oversight. The current IT project funding and oversight structure has produced a reasonable approach to identifying and managing project risks and has provided balance between risk management and funding constraints. One key component is that DOF has the authority to approve, fund, and oversee a project. In addition, particularly in the short term, CIO will have other priorities upon which to focus. Adding the management of every state IT project to CIO’s workload will stretch its capabilities, even with OTROS staff relocated. We therefore recommend that OTROS’s project review and oversight roles remain at DOF. The CIO would still be involved in the development of key IT projects. The CIO’s involvement, however, would be from a strategic perspective rather than the “nuts and bolts” of detailed reviews.
Information Security. Information security should receive more focus than it has received under the current structure. Creating a third IT review office (in addition to CIO and DOF), however, could unnecessarily hinder project reviews. We instead recommend that the security function be included within CIO’s policies and standards role. As CIO issues statewide policies, it should include the perspective of how security is affected and data could be better protected. The three security positions currently at DOF should be transferred to CIO. We recommend leaving the Office of Privacy Protection within DCA where it can continue its consumer-oriented role.
Return to General Government Table of Contents,
2007-08 Budget Analysis