Skip to Highlights

GAO reviewed the effectiveness of the Department of Housing and Urban Development's (HUD) information resources management (IRM) program, focusing on whether: (1) IRM planning and data management are adequate to support HUD missions and strategic objectives; (2) HUD computer security programs adequately protect sensitive systems; and (3) efforts to integrate and strengthen financial management systems are effectively planned and managed.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Housing and Urban Development 1. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should establish strategic business and IRM planning processes and develop and maintain up-to-date plans that are clearly linked to each other. The plans should articulate senior executives' vision of the Department's missions, objectives, and priorities, and define the strategies and program and IRM resources needed to properly support the missions and achieve the strategic objectives. The Secretary should consider using the existing IRM Planning Board to develop the Department's strategic plans. In any event, direct and substantive involvement of the Secretary, Deputy Secretary, and senior executives is essential to define the business vision and strategic objectives.
Closed - Implemented
On August 30, 2001, the Office of the Chief Information Officer indicated that HUD will begin developing a strategic IRM planning process in the near future. As of August 27, 2002, HUD officials stated that the Department has a draft strategic IT plan and expect the plan to be fully approved in September 2002. According to the Chief Architect, the principal author, the strategic IT plan shows how information resources will help achieve the strategic objectives in HUD's Strategic Plan (business plan). The official added that the strategic IT plan will be executed through the enterprise architecture and investment management processes. HUD has substantially implemented this recommendation. Over the years it has developed strategic business plans and GPRA plans, and more recently has made progress in developing a strategic IT plan. In addition, HUD's efforts to develop an enterprise architecture and investment management processes have also linked strategic and tactical business and IT direction. Taken together, these plans and processes should help the Department plan information systems and technology to support its missions and strategic objectives.
Department of Housing and Urban Development 2. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should direct Information Policies Systems to develop a strategic information architecture that is based on the strategic business and IRM plans to govern the development, deployment, and use of IRM resources.
Closed - Implemented
HUD has substantially implemented this recommendation. Over the past few years, the Department has made significant strides in its effort to develop and institutionalize an enterprise architecture (EA) and integrate the architecture with its IT investment management process. The department has high-level baseline and target architectures, and has continued to add more layers or detail to its business, data, application, and technology architectures. HUD also added a stakeholders architecture to its EA framework in the past year to incorporate internal stakeholders' and external partners' interactions that are key to the delivery of HUD's programs and services. HUD has established an EA program office; developed and refreshed a baseline architecture; developed EA policies; conducted EA based analyses of HUD's IT investment portfolio; developed applications, data, and technical reference models; developed a conceptual architecture and architecture principles; established enterprise architecture domain teams; identified opportunities to leverage common IT solutions across the enterprise for case management and tracking; and used the architecture in the project selection phase of HUD's investment management process. The Chief Architect's goals for fiscal year 2003 include continuing to develop the enterprise architecture, developing the financial management target architecture after the CFO determines HUD's future accounting and financial management needs, enhancing the enterprise architecture framework to include work force, performance, and security, and attaining full integration between the enterprise architecture and capital planning and investment control processes.
Department of Housing and Urban Development 3. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should establish a data management program to support integrated and departmentwide systems, and ensure that the organization responsible for this program has sufficient authority to coordinate the development of standards for common data, establish a dictionary the provides definitions and locations of data, and ensure compliance with departmentwide data standards.
Closed - Implemented
HUD has defined the department-wide data administration functions and responsibilities. HUD established a Central Information Management function and revised data administration standards and procedures. The central data administrator has the authority to ensure compliance with department-wide standards. HUD established a central data repository and has been populating it. HUD issued standards and procedures governing the repository. Data administration training has been provided to program area and systems development personnel.
Department of Housing and Urban Development 4. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should eliminate weaknesses in computer security controls over automated systems and installations that store, process, transmit, or use sensitive or privacy data. This will require establishing effective mechanisms to ensure that both HUD and contractor: (1) computer operations conform with federal and departmental requirements; (2) staffs receive background investigations that are commensurate with their access to sensitive systems; and (3) staffs receive sufficient training so they are aware of and can fulfill their computer security responsibilities.
Closed - Implemented
HUD has made significant progress in this area over the years, only one of the several major computer security weaknesses that GAO observed and reported in 1994 still remains. In its audit report on the Department's fiscal year 2001 and 2000 financial statements, the HUD Inspector General again noted that HUD has continued its effort to improve security controls. Previously reported exposures of sensitive Privacy Act data and payment system data to unauthorized access have been corrected. Data files and software libraries are now protected by validation and verification methods to ensure that users requesting read and write access have the proper authority and need to know. In addition, the number of users with access to powerful system commands has been reduced, and an audit trail has been developed to track the authorized security and system administrative functions. The Inspector General also said that the Department had made corrections to address weaknesses noted in previous reviews of server user settings that would allow unauthorized access. The last area of vulnerability that GAO observed and reported in 1994 remains a reportable condition. During fiscal year 2001, 825 users granted access to HUD's critical and sensitive systems lacked the appropriate background investigations. To correct this, HUD is embarking on another effort to ensure appropriate background investigations. This is to include mandating the use of standard contract modules that require contractor staff to have appropriate background investigations. The HUD IG is expected to continue, as it has for several years, following up on this vulnerability until it is fully corrected. This follow up is a part of the IG's annual financial statement audits.
Department of Housing and Urban Development 5. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should develop and test contingency plans to provide for the backup, recovery, and continuity of operations of all systems and computer installations that support critical Department functions. Also, until these plans are fully developed and tested, report the lack of contingency plans as a material internal control weakness under the Federal Managers' Financial Integrity Act.
Closed - Implemented
HUD has fully implemented this recommendation. GAO's analysis of the HUD Computer Center Business Resumption Plan showed that it was consistent with industry criteria, and the HUD Inspector General's report on HUD's fiscal year 1998 financial statements stated that all field offices had also developed acceptable business resumption plans. Since then, however, Inspector General reports on the annual financial statement audits have shown that business resumption plan testing has been inadequate. This was corrected in 2001, and in its report on the fiscal year 2001 and 2000 financial statements, the HUD Inspector General stated that HUD had tested the plans satisfactorily and set up a schedule to conduct periodic testing. This action eliminates a significant internal control deficiency, and helps to ensure and demonstrate that the plans are complete and up-to-date and can be implemented successfully after a disaster or other disruption.
Department of Housing and Urban Development 6. In order to make the HUD IRM program more responsive to its missions, the Secretary of Housing and Urban Development should establish and maintain, as part of the implementation of HUD revised Financial Systems Integration Plan: (1) clear lines of authority over the entire effort and individual systems projects; (2) standards for the common data that will be used; (3) a data dictionary for the integrated financial systems; (4) a detailed plan to transition from existing systems to the integrated systems that will be developed; and (5) an effective monitoring mechanism to ensure that significant problems, with any project or the integration effort as a whole, are brought to the attention of senior managers and are corrected in a timely manner.
Closed - Implemented
HUD established a management committee responsible for significant financial systems integration issues. The CFO monitors and reports project status to the committee. Each program assistant secretary is responsible for financial integration projects. HUD has developed policies to implement data administration standards and established a data repository to support data administration. HUD developed and is updating a transition plan to guide the change from the existing systems and processes to the new ones.

Full Report