HUD Information Resources: Strategic Focus and Improved Management Controls Needed

On August 30, 2001, the Office of the Chief Information Officer indicated that HUD will begin developing a strategic IRM planning process in the near future. As of August 27, 2002, HUD officials stated that the Department has a draft strategic IT plan and expect the plan to be fully approved in September 2002. According to the Chief Architect, the principal author, the strategic IT plan shows how information resources will help achieve the strategic objectives in HUD's Strategic Plan (business plan). The official added that the strategic IT plan will be executed through the enterprise architecture and investment management processes. HUD has substantially implemented this recommendation. Over the years it has developed strategic business plans and GPRA plans, and more recently has made progress in developing a strategic IT plan. In addition, HUD's efforts to develop an enterprise architecture and investment management processes have also linked strategic and tactical business and IT direction. Taken together, these plans and processes should help the Department plan information systems and technology to support its missions and strategic objectives.

HUD has substantially implemented this recommendation. Over the past few years, the Department has made significant strides in its effort to develop and institutionalize an enterprise architecture (EA) and integrate the architecture with its IT investment management process. The department has high-level baseline and target architectures, and has continued to add more layers or detail to its business, data, application, and technology architectures. HUD also added a stakeholders architecture to its EA framework in the past year to incorporate internal stakeholders' and external partners' interactions that are key to the delivery of HUD's programs and services. HUD has established an EA program office; developed and refreshed a baseline architecture; developed EA policies; conducted EA based analyses of HUD's IT investment portfolio; developed applications, data, and technical reference models; developed a conceptual architecture and architecture principles; established enterprise architecture domain teams; identified opportunities to leverage common IT solutions across the enterprise for case management and tracking; and used the architecture in the project selection phase of HUD's investment management process. The Chief Architect's goals for fiscal year 2003 include continuing to develop the enterprise architecture, developing the financial management target architecture after the CFO determines HUD's future accounting and financial management needs, enhancing the enterprise architecture framework to include work force, performance, and security, and attaining full integration between the enterprise architecture and capital planning and investment control processes.

HUD has defined the department-wide data administration functions and responsibilities. HUD established a Central Information Management function and revised data administration standards and procedures. The central data administrator has the authority to ensure compliance with department-wide standards. HUD established a central data repository and has been populating it. HUD issued standards and procedures governing the repository. Data administration training has been provided to program area and systems development personnel.

HUD has made significant progress in this area over the years, only one of the several major computer security weaknesses that GAO observed and reported in 1994 still remains. In its audit report on the Department's fiscal year 2001 and 2000 financial statements, the HUD Inspector General again noted that HUD has continued its effort to improve security controls. Previously reported exposures of sensitive Privacy Act data and payment system data to unauthorized access have been corrected. Data files and software libraries are now protected by validation and verification methods to ensure that users requesting read and write access have the proper authority and need to know. In addition, the number of users with access to powerful system commands has been reduced, and an audit trail has been developed to track the authorized security and system administrative functions. The Inspector General also said that the Department had made corrections to address weaknesses noted in previous reviews of server user settings that would allow unauthorized access. The last area of vulnerability that GAO observed and reported in 1994 remains a reportable condition. During fiscal year 2001, 825 users granted access to HUD's critical and sensitive systems lacked the appropriate background investigations. To correct this, HUD is embarking on another effort to ensure appropriate background investigations. This is to include mandating the use of standard contract modules that require contractor staff to have appropriate background investigations. The HUD IG is expected to continue, as it has for several years, following up on this vulnerability until it is fully corrected. This follow up is a part of the IG's annual financial statement audits.

HUD has fully implemented this recommendation. GAO's analysis of the HUD Computer Center Business Resumption Plan showed that it was consistent with industry criteria, and the HUD Inspector General's report on HUD's fiscal year 1998 financial statements stated that all field offices had also developed acceptable business resumption plans. Since then, however, Inspector General reports on the annual financial statement audits have shown that business resumption plan testing has been inadequate. This was corrected in 2001, and in its report on the fiscal year 2001 and 2000 financial statements, the HUD Inspector General stated that HUD had tested the plans satisfactorily and set up a schedule to conduct periodic testing. This action eliminates a significant internal control deficiency, and helps to ensure and demonstrate that the plans are complete and up-to-date and can be implemented successfully after a disaster or other disruption.

HUD established a management committee responsible for significant financial systems integration issues. The CFO monitors and reports project status to the committee. Each program assistant secretary is responsible for financial integration projects. HUD has developed policies to implement data administration standards and established a data repository to support data administration. HUD developed and is updating a transition plan to guide the change from the existing systems and processes to the new ones.