Pursuant to a congressional request, GAO reviewed the Small Business Administration's (SBA) management of information technology (IT), focusing on the five key IT process areas--investment management, architecture, information security, software development and acquisition, and human capital management.
Recommendations for Executive Action
|Small Business Administration||In the investment management area, the Administrator, SBA, should direct the CIO to adopt policies and procedures and define processes for: (1) investment selection to ensure that IT projects result in mission-focused benefits and that risk-adjusted return on investment is maximized; (2) investment control to determine whether selected projects are being developed on time, within budget, and according to requirements, and to take corrective actions as appropriate; and (3) investment evaluation by conducting postimplementation reviews to determine whether completed projects are generated expected mission-focused benefits.|
|Small Business Administration||In the IT architecture area, the Administrator, SBA, should direct the CIO to: (1) develop a systematic process for architecture development to ensure that the architecture will meet SBA's current and future information processing needs; (2) establish policies and procedures for architecture maintenance to ensure that new systems and software changes are compatible with other systems and SBA's planned operating environment; and (3) set a target date for implementation of the maintenance processes.|
|Small Business Administration||For software development and acquisition, the Administrator, SBA, should direct the CIO to: (1) complete the systems development methodology and develop a plan to institutionalize and enforce its use agencywide; and (2) establish policies, procedures, and processes for software development and software acquisition and develop a mechanism to enforce them. These policies, procedures, and processes need to address areas such as requirements management, project planning, project tracking and oversight, software quality assurance, configuration management, acquisition planning, solicitation, contract tracking and oversight, product evaluation, and transition to support.|
|Small Business Administration||For information security, the Administrator, SBA, should direct the CIO to: (1) conduct periodic security risk assessments to identify and rank threats and vulnerabilities; (2) implement a complete, effective security awareness program; (3) periodically update policies and procedures on information security and implement security controls to address identified vulnerabilities; (4) complete the development and testing of its comprehensive disaster recovery and business continuity plan, which should then be updated and tested periodically; (5) conduct periodic security evaluations to determine whether policies, procedures, and controls are effective against identified vulnerabilities and take remedial action as needed; and (6) develop and implement a centralized mechanism to monitor and enforce compliance on information security by employees, contractors, and program offices.|
|Small Business Administration||In the human capital management area, the Administrator, SBA, should direct the CIO to: (1) identify SBA's IT knowledge and skills requirements; (2) perform periodic IT staff assessments to identify current levels of IT knowledge and skills; (3) develop workforce strategies and implement plans to acquire and maintain the necessary IT knowledge and skills to support the agency mission; and (4) periodically evaluate progress in improving SBA's IT human capital capability and use the results to continuously improve human capital strategies.|