Leading Practices in Information Technology Management
Information technology (IT) management requires a sound foundation in areas such as IT strategic planning, enterprise architecture, IT investment management, and information security.
IT Strategic Planning
Advances in technology have changed and continue to change the way agencies do business—which affects how agencies need to plan strategically to manage their IT.
An agency should:
- Document its IT strategic planning process, including, at a minimum,
(1) the responsibilities and accountability for IT resources across the agency; and
(2) the method by which the agency defines program information needs and develops strategies, systems, and capabilities to meet those needs.
- Document its process to integrate IT management operations and decisions with other organizational processes, including organizational planning, budget, financial management, human resources management, and program decisions.
- Integrate information security management processes with strategic and operational planning processes.
- Institute a process to account for all IT-related expenses and results.
- Prepare an enterprise-wide IT strategic plan. At a minimum, the plan should
(1) describe how IT activities will be used to help accomplish agency missions and operations, including related resources; and
(2) identify a major IT acquisition program(s) or any phase or increment of that program that has significantly deviated from cost, performance, or schedule goals established for the program.
- Ensure that the IT strategic plan supports the agency strategic plan and helps accomplish agency missions by
(1) describing how IT supports strategic and program goals; and
(2) identifying the resources and time periods required to implement the information security program plan required by FISMA.
- Have a documented goals process to
(1) develop IT goals in support of agency needs;
(2) measure progress against these goals; and
(3) assign roles and responsibilities for achieving these goals.
- Establish goals that, at a minimum, address how IT contributes to
(1) program productivity,
(3) effectiveness, and
(4) service delivery to the public (if applicable).
- Establish IT performance measures to demonstrate how IT enables progress toward agency objectives and strategic goals.
- Annually describe progress in using IT to improve agency operations and service delivery, as appropriate. This should be in a report included in the budget submission.
- Benchmark IT management processes against appropriate public and private sector organizations and/or processes in terms of costs, speed, productivity, and quality of outputs and outcomes.
An enterprise architecture (EA) is a well-defined blueprint for an organization that shows relationships among business operations and the IT infrastructure and applications supporting them. Using EA effectively provides a clear and comprehensive picture of the organization that includes analyses of current conditions, targeted conditions, and a roadmap for getting the organization from the current to the target. Successful organizations use EA when making changes or modernizing systems.
An agency should complete the steps described in the EA Management Maturity Framework, including:
- Create EA awareness
- Raise awareness about the value of an EA.
- Establish EA institutional commitment and direction
- Develop the foundation for an EA program by grounding EA development in policy and ensuring that top executives take ownership of the architecture.
- Establish leadership through an EA executive committee, approved EA goals, proactive outreach, and appointing and empowering a chief architect.
- Establish a management construct to measure performance and maintain accountability.
- Create the management foundation for EA development and use
- Establish operational EA program offices and ensure that leadership, funding, requisite tools, and human capital are available for these program offices.
- Develop the core plans and processes needed to manage and execute the EA program.
- Develop initial EA versions
- Engage stakeholders in EA development and implement human capital plans.
- Combine resources with acquired tools to execute EA management plans and schedules aimed at delivering the target architecture.
- Develop segment architectures using available tools and defined plans and schedules.
- Measure and report progress to the executive committee.
- Proactively identify and address EA development risks.
- Complete and use an initial EA version for targeted results
- Obtain approval for the EA from the executive committee.
- Use the approved EA to guide and constrain capital investment selection and control decisions—e.g., using EA to identify potential duplication and overlap to inform the selection of new investments.
- Measure and report various factors to the executive committee, including EA product quality, investment compliance, subordinate architecture alignment, and results and outcomes.
- Expand and evolve the EA and its use for institutional transformation
- Extend the EA’s scope to the entire organization; ensure enterprise-wide alignment and integration.
- Continuously maintain architecture products and obtain approval for major updates of the corporate EA by the head of the organization.
- Have an independent agent assess the architecture product quality and have the results reported to the chief architect and the executive committee.
- Continuously improve the EA and its use to achieve corporate optimization
- Focus on continuously improving the quality of the suite of EA products and the people, processes, and tools used to govern their development, maintenance, and use.
IT Investment Management
IT projects can significantly improve an organization's performance, but they can also become costly, risky, and unproductive. Agencies can maximize the value of IT investments and minimize the risks of IT acquisitions with an effective and efficient IT investment management process.
As described in the guide to effective IT investment management, an agency should:
- Create awareness
- Raise awareness about the importance of disciplined investment management processes.
- Build the foundation
- Create an investment review board and define its membership, guiding policies, operations, roles, responsibilities, and authorities.
- For each project, develop a business case that identifies the key executive sponsor, business customers (or end-users), and the business needs that the IT project will support.
- Define a process that the organization can use to select new IT proposals and reselect ongoing projects.
- Monitor projects against cost and schedule expectations as well as anticipated benefits and risks.
- Develop a complete investment portfolio
- Define criteria for determining which investments to include in the investment portfolio. Criteria could include quantitative or qualitative factors such as cost, benefit, schedule, and risk.
- Use the criteria to select investments for the portfolio.
- Evaluate the portfolio by adding the element of portfolio performance to the organization's control process activities.
- Review IT projects by comparing actual results to estimates in order to learn from past investments and initiatives.
- Improve the process
- Evaluate the performance of the portfolio to improve both current IT investment management processes and the future performance of the IT portfolio.
- Analyze and manage the replacement of IT investments and assets with their higher-value successors.
- Leverage IT for strategic outcomes
- Optimize the investment management process used to exploit IT decision making to improve the value of an IT investment management process.
- Learn about and implement other organizations' best practices for IT investment.
- Use IT to renovate and transform work processes and to push the organization to explore new and better ways to execute its mission.
Federal agencies rely extensively on IT systems and electronic data to carry out their missions. Effective security for these systems and data is essential to prevent data tampering, disruptions in critical operations, fraud, and inappropriate disclosure of sensitive information. The Federal Information Security Modernization Act (FISMA) of 2014 helps ensure agencies have adequate security safeguards.
An agency should:
- Periodically assess the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of its information and information systems.
- Develop risk-based policies and procedures that cost-effectively reduce information security risks throughout the life cycle of each information system in its information security programs.
- Develop subordinate system security plans for providing adequate security for networks, facilities, and systems or groups of information systems (as appropriate).
- Provide appropriate security awareness training to personnel, including contractors and other users of information systems that support its operations and assets.
- Test and evaluate the effectiveness of information security policies, procedures, and practices as frequently as the risk level requires but no less than annually.
- Create a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in information security policies, procedures, and practices.
- Establish procedures for detecting, reporting, and responding to security incidents, which may include using automated tools; mitigating risks associated with such incidents before substantial damage is done; and notifying and consulting with the information security incident center and other entities, as appropriate, including law enforcement agencies and other relevant officials.
- Establish plans and procedures to ensure continuity of operations for information systems that support its operations and assets. Test plans to ensure they work.
- Develop, maintain, and annually update an inventory of major information systems.
GAO-10-846G: Published: Aug 5, 2010. Publicly Released: Aug 5, 2010.
This publication supersedes GAO-03-584G Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), April 2003, and Information Technology: A Practical Guide to Federal Enterprise Architecture, Version 1.0, February 2001.Effective use of an enterprise architecture (EA) is a hallmark of successful organizations and an essential means to achievin...
GAO-09-232G: Published: Feb 2, 2009. Publicly Released: Feb 2, 2009.
FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards. This version supersedes the prior version, Federal Information System Controls Audit Manual: Volume I Financial Statement Audits, AIMD-12.19.6, January 1, 2001. The FISCAM is designed to be used primarily on financial and performa...
GAO-04-394G: Published: Mar 1, 2004. Publicly Released: Mar 1, 2004.
This publication supersedes AIMD-10.1.23, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft), May 2000. In 2000, GAO published an exposure draft of Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (ITIM). Built around the select/control/evaluate approach described in the Cling...
GAO-04-49: Published: Jan 12, 2004. Publicly Released: Feb 11, 2004.
Over the years, the Congress has promulgated laws and the Office of Management and Budget and GAO have issued policies and guidance, respectively, on (1) information technology (IT) strategic planning/performance measurement (which defines what an organization seeks to accomplish, identifies the strategies it will use to achieve desired results, and then determines how well it is succeeding in rea...
GAO-20-249SP: Published: Sep 8, 2020. Publicly Released: Sep 8, 2020.
Federal agencies' efforts to acquire IT have often cost more than expected, taken longer, and produced systems that failed to perform. IT acquisitions and operations management has been on our High Risk List since 2015. In this report, we profile 16 critical IT acquisitions, describing risks to their cost and schedule, and more. For example, the FBI plans to spend $1.6 billion over 14 years for co...
GAO-20-500PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.
Each year, we make more than 1,000 recommendations to help improve the federal government. We alert department heads to the recommendations where they can save the most money, address issues on our High Risk List, or significantly improve government operations. This report outlines our 17 priority open recommendations for the Department of Housing and Urban Development (HUD) as of April 2020. Fo...
GAO-20-279: Published: Mar 5, 2020. Publicly Released: Mar 5, 2020.
The Office of Management and Budget has been working with federal agencies to reduce the number of outdated or duplicative federal data centers. In fiscal year 2019, agencies closed 102 centers, and planned to close 184 more. OMB also narrowed the definition of a data center, recategorizing about 2,000 facilities and excluding them from federal reporting requirements. But many of these facilities...
GAO-19-641T: Published: Jun 26, 2019. Publicly Released: Jun 26, 2019.
The federal government has spent billions on information technology projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures. These IT efforts often suffered from ineffective management. We testified about 2 issues on our High Risk List: management of IT acquisitions and operations, and cybersecurity. Since 2010, agencies have implemented 60% of our 1...
GAO-19-544T: Published: May 1, 2019. Publicly Released: May 1, 2019.
When the Department of Homeland Security began operations in 2003, its leadership faced the daunting task of transforming 22 agencies into one department. Although DHS has been on our High Risk List since then, the department has made considerable progress. We testified about this progress, as well as actions still needed to address management challenges. For example, we recommended that DHS stre...
GAO-19-241: Published: Apr 11, 2019. Publicly Released: Apr 11, 2019.
Federal agencies operate thousands of data centers and since 2010 have been required to close unneeded facilities and improve the performance of the remaining centers. Across the government, agencies have closed 6,250 centers to date and saved $2.7 billion. However, only 2 agencies in our review planned to meet September 2018 government-wide optimization goals that include, for example, a target...
GAO-19-380SP: Published: Apr 3, 2019. Publicly Released: Apr 10, 2019.
Each year, we make more than 1,000 recommendations to help improve the federal government. We alert department heads to the recommendations where they can save the most money, address issues on our High Risk List, or significantly improve government operations. This report outlines our 9 priority open recommendations for the Department of Housing and Urban Development as of April 2019. For examp...
GAO-19-275T: Published: Dec 12, 2018. Publicly Released: Dec 12, 2018.
The federal government has spent billions on information technology projects that failed or have performed poorly. These efforts often suffered from ineffective management. Agencies have also had cybersecurity failures affecting millions of people. This testimony addresses 2 issues we identified as high risk for the federal government: management of IT acquisitions and operations, and cybersecuri...
GAO-18-703T: Published: Sep 27, 2018. Publicly Released: Sep 27, 2018.
The Social Security Administration (SSA) has improved its management of information technology (IT) acquisitions and operations by addressing 14 of the 15 recommendations that GAO has made to the agency. For example,Incremental development. The Office of Management and Budget (OMB) has emphasized the need for agencies to deliver IT investments in smaller increments to reduce risk and deliver capab...
GAO-18-326: Published: May 24, 2018. Publicly Released: May 24, 2018.
The strength of Department of Defense's (DOD) policies for managing and overseeing major automated information system (MAIS) programs varies. Specifically, the policy for managing 24 non-business MAIS programs adheres to leading information technology (IT) management practices, but the policy for managing 10 MAIS business programs does not always do so (see table).Analysis of Department of Defense...