Information Technology Management: Social Security Administration
Practices Can Be Improved (21-AUG-01, GAO-01-961).		 
								 
The Social Security Administration (SSA) needs to identify	 
strengths and weaknesses within its agencywide operational and	 
managerial capabilities to enable the delivery of high-quality	 
customer service in the face of increases in both workloads and  
in the number of retirements from its experienced workforce.	 
Evaluating SSA's management of information technology (IT) is	 
critical to assess whether the agency is adequately addressing	 
these capabilities. This report reviews SSA's IT policies,	 
procedures, and practices in five areas of investment management,
enterprise architecture, software acquisition and development,	 
information security, and human capital. GAO found that SSA had  
many important IT management policies and procedures in place in 
each of these five key areas but did not always implement them	 
consistently. In some areas, SSA had not established certain key 
policies, procedures, or practices essential to ensuring that its
IT is effectively managed. GAO found weaknesses in all of the	 
five key areas of IT management--particularly in investment	 
management and human capital management.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-01-961 					        
    ACCNO:   A01630						        
    TITLE:   Information Technology Management: Social Security       
             Administration Practices Can Be Improved                         
     DATE:   08/21/2001 
  SUBJECT:   Computer security					 
	     Computer software					 
	     Information technology				 
	     Systems design					 
	     ADP procurement					 
	     Personnel management				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-961
     
A

Report to the Chairman, Subcommittee on Social Security, Committee on Ways
and Means, House of Representatives

August 2001 INFORMATION TECHNOLOGY MANAGEMENT

Social Security Administration Practices Can Be Improved

GAO- 01- 961

Let ter

August 21, 2001 The Honorable Clay Shaw Chairman, Subcommittee on Social
Security Committee on Ways and Means House of Representatives

Dear Mr. Chairman: As the Social Security Administration (SSA) strives to
meet its future challenge of delivering high- quality customer service in
the face of increases in both workloads and in the number of retirements of
its experienced workforce, it needs to identify strengths and weaknesses
with its agencywide operational and managerial capabilities. Evaluating
SSA?s management of information technology (IT) is a critical part of
efforts to assess whether the agency is adequately addressing these
capabilities. As you requested, our objective was to evaluate SSA?s IT
policies, procedures, and practices in the areas of investment management,
enterprise

architecture, software acquisition and development, information security,
and human capital. These five areas encompass major IT management functions
and are recognized by the industry as having substantial

influence over the effectiveness of an organization?s operations. To address
this objective, we reviewed SSA?s policies and procedures in each of the
five key areas and compared them against applicable laws, federal
guidelines, and industry standards. We also reviewed selected IT

projects and activities to help determine if SSA?s practices were consistent
with its own policies and procedures, as well as with federal and industry
standards. For each IT area we reviewed, we depicted our evaluation results
and judgments on the current state of SSA?s policies, procedures, and
practices by using three broad indicators. We performed our work from
January through June 2001, in accordance with generally accepted

government auditing standards. On July 9, 2001, we provided a detailed
briefing to your office on the results of this work. The briefing slides are
included as appendix I. The purpose of this letter is to provide the
published briefing slides to you and to officially transmit our
recommendations to the Acting Commissioner of Social Security. In brief, we
reported that SSA had many important IT management policies and procedures
in place in each of the five areas, but did not always

implement them consistently. In some areas, SSA had not established certain
key policies, procedures, or practices, essential to ensuring that its IT is
effectively managed. We noted weaknesses in all of the five key areas of IT
management- particularly in investment management and human capital
management- and are making numerous recommendations to the

Acting Commissioner of Social Security to address these weaknesses. The
Acting Commissioner has agreed with our recommendations.

Recommendations for To improve SSA?s IT management practices, we recommend
that the Acting Executive Action

Commissioner of Social Security direct the Chief Information Officer and the
Deputy Commissioner for Systems to complete the following actions: In the
investment management area,

 develop and implement a process guide that establishes the policies,
procedures, and key criteria for conducting the IT investment management
process and guiding executive staff operations;  develop and maintain
selection criteria that include explicit cost, benefit, schedule, and risk
criteria to facilitate the objective analysis, comparison, prioritization,
and selection of IT investments;

 analyze and prioritize all IT investments based on the predefined
selection criteria and make selection decisions according to the established
process;

 establish and annually review cost, benefit, schedule, and risk life-
cycle expectations for each selected investment;  revise the IT oversight
process so that the executive staff oversees the comparison of actual cost,
benefit, schedule, and risk data with original estimates for all investments
to determine whether they are proceeding as expected and, if not, to take
corrective actions as appropriate;

 regularly perform post- implementation reviews of IT investments and
develop lessons learned from the process;

 develop, manage, and regularly evaluate the performance of a comprehensive
IT investment portfolio containing detailed and summary information
(including data on costs, benefits, schedules, and risks) for all IT
investments; and

 implement investment process benchmarking so that measurable improvements
may be made to agency IT investment management processes based on those used
by best- in- class organizations.

In the enterprise architecture area,

 establish milestones for and complete key elements of SSA?s enterprisewide
architecture, including (1) finalizing its framework, (2) updating and
organizing its architectures and architecture definitions under the
framework, and (3) reflecting its future service delivery vision and e-
business goals; and

 effectively implement change management and legacy system integration
policies, procedures, and processes across the agency, and set target dates
for full implementation of these maintenance processes. In the area of
software development,  consistently apply the requirements management,
project planning, project tracking and oversight, quality assurance, and
configuration management policies and procedures developed by the software
process improvement program across all software development efforts; and

 develop and implement a procedure to grant waivers to software development
projects when deviations from policies and procedures occur.

In the information security area,

 strengthen the entitywide security framework by completing policy/ risk
models and technical system standards (security settings) for SSA?s major
systems platforms;  develop monitoring techniques and corrective actions
for noncompliance for the major systems platforms; and  use the platform
security settings to strengthen security for each application utilizing
these platforms. In the human capital area,

 complete an assessment of the Office of Systems? current and future IT
knowledge and skill needs;

 develop and maintain an inventory of the Office of Systems? current IT
staff?s knowledge and skills;

 determine whether a gap exists between current and future IT staff
requirements and current staffing;  implement workforce strategies that
support the results of this gap analysis; and

 analyze and document the effectiveness of its strategies for recruiting,
training, and retaining IT personnel, and use these results to continuously
improve its IT human capital strategies. Agency Comments and In providing
written comments on a draft of our briefing, the Acting Our Evaluation
Commissioner agreed with all of our recommendations and identified various
actions that SSA has planned or undertaken to address them. SSA also offered
updated information and suggestions for revising several specific areas of
our briefing, which we have incorporated where appropriate. Concerning our
evaluation of its information security performance, SSA stated that it has
now completed the development of policy/ risk models and technical system
standards for its major system platforms and suggested that we change our
assessment of its performance in five

information security areas. We are encouraged that SSA has reported
completing its policy/ risk models and technical system standards; adherence
to sound models and standards should strengthen the security of its major
platforms and information systems environment. However, because these models
and standards were finalized after the completion of our review, we have not
had an opportunity to verify their implementation and cannot, therefore,
change our assessment at this time. Appendix II contains the full text of
SSA?s comments and suggested revisions. As agreed with your office, unless
you publicly announce the contents of this report earlier, we plan no
further distribution until 30 days from the date of this letter. At that
time, we will provide copies to the Acting Commissioner of Social Security
and to the Director, Office of Management and Budget, as well as to other
interested parties. Copies will also be available at our Web site at www.
gao. gov. Should you or your office have any questions concerning this
report, please

contact me at (202) 512- 6257, or Valerie Melvin, Assistant Director, at
(202) 512- 6304. We can also be reached by e- mail at mcclured@ gao. gov and
melvinv@ gao. gov, respectively. Individuals making key contributions to the

briefing and this report were Michael Alexander, Yvette R. Banks, Nabajyoti
Barkakati, John Christian, Lester Diamond, Thomas F. Noone, Madhav Panwar,
Elizabeth Roach, and Marcia Washington. Sincerely yours,

David L. McClure Director, Information Technology Management Issues

Appendix I

GAO?s July 9, 2001, Briefing