Information Technology Management: SBA Needs to Establish Policies and Procedures for Key IT Processes

AIMD-00-170 Published: May 31, 2000. Publicly Released: Jul 20, 2000.
Jump To:
Skip to Highlights

Pursuant to a congressional request, GAO reviewed the Small Business Administration's (SBA) management of information technology (IT), focusing on the five key IT process areas--investment management, architecture, information security, software development and acquisition, and human capital management.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Small Business Administration In the investment management area, the Administrator, SBA, should direct the CIO to adopt policies and procedures and define processes for: (1) investment selection to ensure that IT projects result in mission-focused benefits and that risk-adjusted return on investment is maximized; (2) investment control to determine whether selected projects are being developed on time, within budget, and according to requirements, and to take corrective actions as appropriate; and (3) investment evaluation by conducting postimplementation reviews to determine whether completed projects are generated expected mission-focused benefits.
Closed – Implemented
Regarding the investment selection phase progress and plans, SBA issued its "Information Technology Investment Management Guide" in December 2000, and has been using it to select investments. In April 2004, SBA completed a "Cost Benefit Risk Analysis: How-to Guide" that provides techniques for preparing a cost/benefit/risk analysis for Federal capital investments, with a focus on IT investments. With regard to investment control phase progress and plans, SBA's "Information Technology Investment Management Guide" outlines a process for controlling IT investments. In fiscal year 2004, SBA purchased earned value management and project management tools for all IT investment project managers. The agency conducted training on these tools and also trained the project managers on earned value management concepts and practices. In addition, SBA developed a standard tool for project managers to use in preparing monthly status reports to be presented at regular intervals to the Business Technology Investment Advisory Committee. This Committee was created in January 2004 and is comprised of operating level deputies from each major program component of the agency and is cochaired by the Deputy CIO and Deputy CFO. A control phase review was conducted at the June 2004 Business Technology Investment Advisory Committee meeting based largely on the project plan and the earned value management data being generated for projects and included "lessons learned" questions from earlier projects and internal reviews. Regarding the investment evaluation phase using post implementation reviews to determine whether completed projects generated expected mission-focused benefits, SBA's "Information Technology Investment Management Guide" outlines a process for evaluating completed IT projects. The agency expects to complete the development of post-implementation (evaluation) review procedures, and plans to test these procedures in a review of a major investment. SBA expects to implement and institutionalize post-implementation reviews, and incorporate the processes and procedures into its IT investment management guide. Until this has been accomplished, SBA stated that post-implementation reviews will be based on elements of the cost-benefit risk analysis guide and the post implementation review portions of the existing investment guide and lessons learned from recent IT projects. A "proof of concept" post-implementation review has been conducted on a major project.
Small Business Administration In the IT architecture area, the Administrator, SBA, should direct the CIO to: (1) develop a systematic process for architecture development to ensure that the architecture will meet SBA's current and future information processing needs; (2) establish policies and procedures for architecture maintenance to ensure that new systems and software changes are compatible with other systems and SBA's planned operating environment; and (3) set a target date for implementation of the maintenance processes.
Closed – Implemented
SBA's Office of the Chief Information Officer developed an Enterprise Architecture Program to guide the agency in complying with the Clinger-Cohen Act requirements. The program is complementary to and integrated with the roles, processes and procedures for managing IT projects as investments. SBA's "Enterprise Architecture Program Policies and Procedures" guide describes a systematic process for architecture development and establishes policies and procedures for architecture maintenance. On June 30, 2003, SBA instituted the agency's enterprise architecture policies and procedures and began its biennial maintenance procedure.
Small Business Administration For software development and acquisition, the Administrator, SBA, should direct the CIO to: (1) complete the systems development methodology and develop a plan to institutionalize and enforce its use agencywide; and (2) establish policies, procedures, and processes for software development and software acquisition and develop a mechanism to enforce them. These policies, procedures, and processes need to address areas such as requirements management, project planning, project tracking and oversight, software quality assurance, configuration management, acquisition planning, solicitation, contract tracking and oversight, product evaluation, and transition to support.
Closed – Implemented
The agency issued its systems development methodology in September 2001, and received OMB approval for a revised version 2 in March 2004. The methodology includes (1) steps necessary to document functional requirements, (2) an appendix on configuration management that describes the Configuration Management Program and includes the policy that requires an established baseline and configuration management, (3) an appendix on Quality Assurance that describes the Quality Assurance Program training and requires that a quality assurance plan be developed for IT projects. As to establishing policies and procedures for software acquisition, in January 2004, SBA contracted for development of software acquisition methodology and received final documentation at the end of April 2004. SBA stated that software acquisition, policies, procedures and processes will be institutionalized by the end of 2004.
Small Business Administration For information security, the Administrator, SBA, should direct the CIO to: (1) conduct periodic security risk assessments to identify and rank threats and vulnerabilities; (2) implement a complete, effective security awareness program; (3) periodically update policies and procedures on information security and implement security controls to address identified vulnerabilities; (4) complete the development and testing of its comprehensive disaster recovery and business continuity plan, which should then be updated and tested periodically; (5) conduct periodic security evaluations to determine whether policies, procedures, and controls are effective against identified vulnerabilities and take remedial action as needed; and (6) develop and implement a centralized mechanism to monitor and enforce compliance on information security by employees, contractors, and program offices.
Closed – Implemented
SBA is conducting risk assessments and is tracking the status of identified risks and corrective actions; the agency has completed risk assessments for 34 of its 39 high-priority general support and major application systems. With regard to implementing a security awareness program, SBA recently updated security awareness training for end users and is updating its more specialized security awareness training for technical managers and staff. SBA has mandated computer security awareness training for end users and implemented a tool for managers to check for compliance. As of April 23, 2004, approximately 2,500 out of the Agency's 3570 staff (70 percent)have completed the CSAT training. Concerning updating information security policies, procedures, and controls, SBA has issued interim policies to temporarily update information security polices and procedures, and expects to revise its standing information systems security program policies and procedures in the coming months pending approval from the agency's Office of the Inspector General and the Office of the General Counsel. With regard to completing disaster recovery and contingency planning, SBA's Headquarters Continuity of Operations Plan requires that each office's business recovery plan be reviewed and updated semi-annually. Also, the agency has purchased software to be used in developing business recovery plans. With regard to conducting security evaluations, SBA has been tracking the status of identified security weaknesses and corrective actions, and maintaining a schedule for conducting tests and evaluations. SBA reported, in its FY 04 Second Quarter FISMA Update, completion of security tests and evaluations for 11 of its 39 systems. Concerning developing an entity-wide monitoring and enforcement mechanism, SBA has developed and implemented mechanisms to monitor and enforce information security compliance in specific areas. It has developed a management tool to help managers enforce security awareness training requirements, and a database that tracks the status of risks, vulnerabilities, and corrective actions. SBA has developed program metrics that are used to assess the effectiveness of the security program.
Small Business Administration In the human capital management area, the Administrator, SBA, should direct the CIO to: (1) identify SBA's IT knowledge and skills requirements; (2) perform periodic IT staff assessments to identify current levels of IT knowledge and skills; (3) develop workforce strategies and implement plans to acquire and maintain the necessary IT knowledge and skills to support the agency mission; and (4) periodically evaluate progress in improving SBA's IT human capital capability and use the results to continuously improve human capital strategies.
Closed – Implemented
The OCIO is continuing to work on a competency gap analysis with SBA's Office of Human Capital Management and OPM. With regard to identifying future knowledge and skill requirements, SBA said that it is using Circular A-11, Form 300 requirements as the levers to collect better information on the IT skills needed to support projects at various lifecycle stages. Concerning performing assessments of current knowledge and skills, SBA published an assessment of employees' IT knowledge and skills in June 2001, and completed a survey of executives' current knowledge and skills on March 31, 2003. With regard to developing workforce strategies, SBA's Chief Information Officer prepared a briefing, "A Vision for Supporting Information Technology 2003," which includes an outline of a staffing analysis and plans to achieve the new IT staffing strategy. In reference to evaluating progress in improving IT human capital capability, SBA said that efforts to periodically evaluate progress on improving human capital capability and continuously improving human capital strategies are ongoing.

Full Report