Information Technology Management: Small Business Administration Needs
Policies and Procedures to Control Key IT Processes (Testimony,
07/20/2000, GAO/T-AIMD-00-260).

Pursuant to a congressional request, GAO discussed the Small Business
Administration's (SBA) management of information technology (IT)
focusing on: (1) investment management; (2) architecture; (3) software
development and acquisition; (4) information security; and (5) human
capital management.

GAO noted that: (1) SBA had made progress in establishing an investment
review board and is beginning to define an investment selection process;
(2) however, it had not yet established IT investment management
policies and procedures to help identify and select projects that will
provide mission-focused benefits and maximum risk-adjusted returns; (3)
likewise, SBA had not yet defined processes for investment control and
evaluation to ensure that selected IT projects will be developed on
time, within budget, and according to requirements, and that these
projects will generate expected benefits; (4) the agency had performed
only limited reviews of major IT investments, and these reviews were
ad-hoc since little data had been captured for analyzing benefits and
returns on investment; (5) SBA had made progress with its target IT
architecture by describing its core business processes, analyzing
information used in its business processes, describing data maintenance
and data usage, identifying standards that support information transfer
and processing, and establishing guidelines for migrating current
applications to the planned environment; (6) however, procedures did not
exist for change management to ensure that new systems installations and
software changes would be compatible with other systems and SBA's
planned operating environment; (7) SBA lacked policies for software
development and acquisition to help produce information systems within
the cost, budget, and schedule goals set during the investment
management process that at the same time comply with the guidance and
standards of its IT architecture; (8) an existing systems development
methodology was being adopted to replace outdated guidelines that lacked
key processes for software development; (9) GAO's review of the selected
software projects indicated that SBA's practices were typically ad-hoc
for project planning, project tracking and oversight, quality assurance,
and configuration management; (10) SBA had not conducted periodic risk
assessments for its mission-critical systems; (11) the agency had only
recently conducted a security workload assessment and a risk assessment
for one system; (12) training and education had not been provided to
promote security awareness and responsibilities of employees and
contract staff; (13) SBA had not established policies and procedures to
identify and address its short- and long-term requirements for IT
knowledge and skills; and (14) further, SBA had not evaluated its
progress in improving IT human capital capabilities or used data to
continuously improve human capital strategies.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-AIMD-00-260
     TITLE:  Information Technology Management: Small Business
	     Administration Needs Policies and Procedures to Control
	     Key
	     IT Processes
      DATE:  07/20/2000
   SUBJECT:  Information technology
	     Human resources utilization
	     Information resources management
	     ADP procurement
	     Computer security
	     Computer software
	     Systems design
	     Human resources training

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

GAO/T-AIMD-00-260

   * For Release on Delivery
     Expected at
     9:30 a.m. EDT

Thursday,

July 20, 2000

GAO/T-AIMD-00-260

information technology management

Small Business Administration Needs Policies and Procedures to Control Key
IT Processes

        Statement of Joel C. Willemssen

Director, Civil Agencies Information Systems

Accounting and Information Management Division

Testimony

Before the Committee on Small Business, U.S. Senate

United States General Accounting Office

GAO

Mr. Chairman and Members of the Committee:

Thank you for inviting us to participate in today's hearing and discuss the
Small Business Administration's (SBA) management of information technology
(IT). At your request, we recently completed a review of SBA's IT management
in five areas: (1) investment management, (2) architecture, (3) software
development and acquisition, (4) information security, and (5) human capital
management. We briefed your office on our results earlier this year, and
today, at this hearing, our report containing a high-level summary of this
information is being released. After providing some brief background
information, I would like to discuss each of the five areas in our review,
including the recommendations we have made to improve IT management at SBA.

Background

According to SBA's self-assessment of its IT environment, the legacy systems
are not effectively integrated and thus provide limited information sharing.
The assessment also showed that SBA cannot depend on the systems to provide
consistent information. Because of these problems, it has embarked on an
agencywide systems modernization initiative to replace its outmoded legacy
systems.

Our May report presented the results of our evaluation of SBA's management
of IT in the areas of investment management, architecture, software
development and acquisition, information security, and human capital. These
five areas encompass major IT functions and are widely recognized as having
substantial influence over the effectiveness of operations.

In each area, we reviewed SBA's IT policies and procedures and compared them
against applicable laws and regulations, federal guidelines, and industry
standards. We evaluated SBA's IT management using the Clinger-Cohen Act,
Computer Security Act, and guidelines issued by the Chief Information
Officer's Council, the Office of Management and Budget, the General Services
Administration, the National Institute of Standards and Technology, the
Software Engineering Institute, the Institute of Electrical and Electronics
Engineers, Inc., and ourselves. We also reviewed selected SBA IT projects
and activities to determine if practices complied with its policies and
procedures and with industry standards. Finally, we assessed SBA's
applicable policies, procedures, and practices for the critical activities
for each key process area and used three broad indicators to depict our
results:
               Blank Circle indicates that policies and procedures do not
 Investment Management: Limited Project Selection Reviews Performed; Policies
and Procedures Needed

SBA had made progress in establishing an investment review board and is
beginning to define an investment selection process. However, it had not yet
established IT investment management policies and procedures to help
identify and select projects that will provide mission-focused benefits and
maximum risk-adjusted returns. Likewise, SBA had not yet defined processes
for investment control and evaluation to ensure that selected IT projects
will be developed on time, within budget, and according to requirements, and
that these projects will generate expected benefits. The agency had
performed only limited reviews of major IT investments, and these reviews
were ad-hoc since little data had been captured for analyzing benefits and
returns on investment.

Without established policies and defined processes for IT investment, SBA
cannot ensure that consistent selection criteria are used to compare costs
and benefits across proposals, that projects are monitored and provided with
adequate management oversight, or that completed projects are evaluated to
determine overall organizational performance improvement. In addition, the
agency lacks assurance that the collective results of post-implementation
reviews across completed projects will be used to modify and improve
investment management based on lessons learned.

To address IT investment management weaknesses, SBA planned to develop and
implement an investment selection process that includes screening, scoring,
and ranking proposals. It also planned to use its target architecture to
guide IT investments. In addition, SBA planned to develop and implement an
investment control process to oversee and control projects on a quarterly
basis. As part of investment control, SBA intended to collect additional
data from all investment projects and compare actual data with estimates in
order to assess project performance.

SBA's plans indicate a strong commitment to making improvements in this
area; however, to establish robust IT investment management processes,
additional actions are needed. Accordingly, we recommended that the SBA
Administrator direct the chief information officer to establish policies and
procedures and define and implement processes to ensure that (1) IT projects
are selected that result in mission-focused benefits, maximizing
risk-adjusted return-on-investment; (2) projects are controlled to determine
if they are being developed on time, within budget, and according to
requirements; and (3) projects are evaluated to ascertain whether completed
projects are generating expected benefits.

IT Architecture Maintenance Procedures Were Lacking

SBA had made progress with its target IT architecture by describing its core
business processes, analyzing information used in its business processes,
describing data maintenance and data usage, identifying standards that
support information transfer and processing, and establishing guidelines for
migrating current applications to the planned environment. However,
procedures did not exist for change management to ensure that new systems
installations and software changes would be compatible with other systems
and SBA's planned operating environment.

Without established policies and systematic processes for IT architecture
activities, SBA cannot ensure that it will develop and maintain an
information architecture that will effectively guide efforts to migrate
systems and make them interoperable to meet current and future information
processing needs.

To address IT architecture weaknesses, SBA planned to establish a change
management process for architecture maintenance, to ensure that new systems
installations and software changes will be compatible with other systems and
with SBA's planned operating environment. In addition, it planned to
incorporate in the target architecture specific security standards for
hardware, software, and communications.

To ensure that these planned improvements are completed and sound practices
institutionalized, we recommended that the SBA Administrator direct the
chief information officer to establish policies and procedures and define
and implement processes to ensure that (1) the architecture is developed
using a systematic process so that it meets the agency's current and future
needs and (2) the architecture is maintained so that new systems and
software changes are compatible with other systems and SBA's planned
operating environment.

Software Acquisition Guidelines Obsolete, Practices Inconsistent, but
Systems Development Procedures Being Adopted

SBA lacked policies for software development and acquisition to help produce
information systems within the cost, budget, and schedule goals set during
the investment management process that at the same time comply with the
guidance and standards of its IT architecture. SBA's IT guidance and
procedures were obsolete and thus rarely used for acquisition planning,
solicitation, contract tracking and oversight, product evaluation, and
transition to support. An existing systems development methodology was being
adopted, however, to replace outdated guidelines that lacked key processes
for software development. Our review of the selected software projects
indicated that SBA's practices were typically ad hoc for project planning,
project tracking and oversight, quality assurance, and configuration
management.

Without established policies and defined processes for software development
and acquisition, practices will likely remain ad hoc and not adhere to
generally accepted standards. Key activities-such as requirements
management, planning, configuration management, and quality assurance-will
be inconsistently performed or not performed at all when project managers
are faced with time constraints or limited funding. These weaknesses can
delay delivery of software products and services and lead to cost overruns.

To address software development and acquisition weaknesses, SBA planned to
implement formal practices, such as software requirements management and
configuration management, on a project basis before establishing them
agencywide. Specifically, SBA had selected the Loan Monitoring System (LMS)
project as a starting point for identifying, developing, and implementing a
new systems development methodology and associated policies, procedures, and
practices. LMS therefore will serve as a model for future systems
development projects.

While SBA's plan is a good first step, additional measures need to be taken
to ensure agencywide improvements. To establish sound IT software
development and acquisition processes, we recommended that the SBA
Administrator direct the chief information officer to complete the systems
development methodology and develop a plan to institutionalize and enforce
its use; and develop a mechanism to enforce the use of newly-established
policies in areas including but not limited to requirements management,
project planning/tracking/oversight, quality assurance, configuration
management, solicitation, contract oversight, and product evaluation.

Periodic Risk Assessments Not Being Performed; Information Security
Procedures in Draft Form

Key information security activities include risk assessment, awareness,
controls, evaluation, and central management. Risk assessments consist of
identifying threats and vulnerabilities to information assets and
operational capabilities, ranking risk exposures, and identifying
cost-effective controls. Awareness involves promoting knowledge of security
risks and educating users about security policies, procedures, and
responsibilities. Evaluation addresses monitoring the effectiveness of
controls and awareness activities through periodic evaluations. Central
management involves coordinating security activities through a centralized
group.

SBA had not conducted periodic risk assessments for its mission-critical
systems; the agency had only recently conducted a security workload
assessment and a risk assessment for one system. Training and education had
not been provided to promote security awareness and responsibilities of
employees and contract staff. Further, security management responsibilities
were fragmented among all of SBA's field and program offices.

SBA's computer security procedures for systems certification and
accreditation were in draft form. Without security policies, SBA faces
increased risk that critical information and assets may not be protected
from inappropriate use, alteration, or disclosure. Without defined
procedures, practices are likely to be inconsistent for such activities as
periodic risk assessments, awareness training, implementation and
effectiveness of controls, and evaluation of policy compliance.

To address information security weaknesses, SBA has hired additional staff
to develop procedures to implement computer security policies and to manage
computer accounts and user passwords. These staff are also responsible for
performing systems security certification reviews of new and existing IT
systems. In addition, SBA planned to finish development and testing of a
comprehensive disaster recovery and business continuity plan.

To build on the actions taken and planned by SBA and ensure that a
comprehensive, effective security program is established, we recommended
that the SBA Administrator direct the chief information officer to establish
policies and procedures and define and implement processes to ensure that

   * periodic risk assessments are conducted to determine and rank
     vulnerabilities;
   * an effective security awareness program is implemented;
   * policies and procedures are updated, with new controls implemented to
     address newly discovered threats;
   * the development and testing of SBA's comprehensive disaster recovery
     and business continuity plan is completed, then periodically tested and
     updated;
   * security evaluations are conducted to ascertain whether protocols in
     place are sufficient to guard against identified vulnerabilities, and
     if not, remedial action taken as needed; and
   * a centralized mechanism is developed to monitor and enforce compliance
     by employees, contract personnel, and program offices.

Workforce Strategies and Plans Not Developed; Human Capital Policies and
Procedures Needed

SBA had not established policies and procedures to identify and address its
short- and long-term requirements for IT knowledge and skills. Similarly, it
had not conducted an agencywide assessment to determine gaps in IT knowledge
and skills in order to develop workforce strategies and implementation
plans. Further, SBA had not evaluated its progress in improving IT human
capital capabilities or used data to continuously improve human capital
strategies.

Without established policies and procedures for human capital management,
SBA lacks assurance that it is adequately identifying the IT knowledge and
skills it needs to support its mission, is developing appropriate workforce
strategies, or is effectively planning to hire and train staff to
efficiently perform IT operations.

To address IT human capital management weaknesses, SBA planned to conduct a
comprehensive assessment of training needs with a special emphasis on the
needs of its IT staff. The survey is scheduled for fiscal year 2001 and will
be conducted at both headquarters and SBA field offices.

While SBA's planned assessment should be useful, a more comprehensive
program is needed to ensure that it hires, develops, and retains the people
it needs to effectively carry out IT activities. To improve IT human capital
management practices, we recommended that the SBA Administrator direct the
chief information officer to establish policies and procedures and define
and implement processes to ensure that SBA's IT and knowledge skills
requirements are identified; periodic IT staff assessments are performed to
identify current knowledge levels; workforce strategies are developed and
plans implemented to acquire and maintain the necessary IT skills to support
the agency mission; and SBA's human capital capabilities are periodically
evaluated and the results used to continually improve agency strategies.

SBA has agreed with all of our recommendations and has stated that efforts
are underway to address them. SBA has also emphasized that it is committed
to improving IT management practices.

Mr. Chairman, this concludes my statement. I would be pleased to respond to
any questions that you or other members of the Committee may have at this
time.

Contact and Acknowledgments

(511850)

        Orders by Internet

For information on how to access GAO reports on the Internet, send an e-mail
message with "info" in the body to:

[email protected]

or visit GAO's World Wide Web home page at:

http://www.gao.gov

        Web site: http://www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected]

1-800-424-5454 (automated answering system)
  
*** End of document. ***