The state agency responsible for information technology planning and policy should provide stronger leadership in the areas of security, privacy, training and procurement, the Auditor General’s Office says.

In addition, the audit released last month says the Government Information Technology Agency (GITA) could improve its review of information technology (IT) projects of various state agencies by focusing on more risky and/or more costly projects and by requiring agencies to provide more supporting detail.

Chris Cummiskey, GITA director, said he was in general agreement with the audit’s recommendations and said he would implement them. He said he would assess two of them before deciding on a course of action, but took issue with the comparison of GITA to IT agencies in other states.

“Though GITA believes this is a good method to determine best practices,” Mr. Cummiskey wrote, “it should be noted that the organizational structure and levels of authority vary widely from state to state. For example, while GITA is mostly a strategic planning and oversight agency, many IT agencies have strategic planning, oversight, and operational responsibilities. This difference in agency mission/organization allows other states access to tools in managing IT that are not available to GITA.”

Established in 1996, GITA is responsible for developing a statewide IT plan, adopting statewide standards, reviewing and monitoring IT projects undertaken by state agencies, providing consulting services to agencies and studying emerging technologies and their impact on the state.

The auditor general applauded GITA for improving its statewide Strategic IT Plan by increasing the use of input from state agencies and adding performance measures. But the auditor found that state agencies do not always adhere to IT security standards developed by GITA.

“For example, reports submitted to GITA by the 11 state agencies with significant IT expenditures showed that eight had not fully implemented at least one of GITA’s standards in network security,” the audit states. “Complying with these standards is important because state agencies have reported four instances in which unauthorized users have penetrated state networks since 2001.”

Statewide Security Plan Recommended

The auditor general recommends that GITA develop a statewide security plan that comprehensively addresses security gaps and should consider designating a staff member to serve as a chief security officer for the state.

Regarding privacy issues, the auditor general says standards developed by GITA are incomplete. The audit says that GITA should require agencies to collect only data needed to accomplish a legitimate business objective or to meet a statutory or legal requirement. GITA also needs to expand its standards and ensure that agencies comply with them and include privacy standards when developing a comprehensive security plan, the audit says.

Although GITA is not required by statute to identify and meet state IT training needs, the audit suggests that GITA “is uniquely positioned to assess what these training needs are and to help meet them.”

The audit recommends that GITA should play a larger role in the procurement of IT-related purchases by state agencies. “GITA has not brought its IT expertise to evaluation committees that review proposals from contractors, contending that participation in such committees would conflict with its role in monitoring IT projects,” the audit states.

To improve GITA’s project review-and-approval process, the audit recommends that the agency should seek legislation that would enable it to focus on projects for which the costs are highest or the risks are greatest. Currently, GITA must review all projects costing $25,000 or more.

Suggesting that the agency’s time could be better spent, the auditor general notes that in 2004 GITA reviewed a $35,000 request to replace 36 batteries for backup telephone power at the Capitol. Mr. Cummiskey agreed with the recommendation and said GITA would work with other state agencies to ensure that GITA receives adequate information regarding state IT projects.

Besides focusing its reviews on those projects with greatest cost and/or risk, GITA should also ask agencies for more complete information to improve its review quality, the audit states.

“For example,” the audit sys, “GITA currently requires agencies to provide a yes-or-no answer as to whether a project is consistent with GITA’s statewide standards and requires details only if the answer is ‘no.’ Requiring agencies to submit additional information about these projects would help GITA better evaluate whether a sufficient need and justification exists for the project.” —