1.0 TITLE: Oversight of Information Technology Projects

1.1 EFFECTIVE DATE: October 14, 1999

1.1.1 REVISED: July 15, 2010

1.2 TYPE OF ACTION: New

2.0 PURPOSE: To establish a policy for the external independent oversight of information technology projects within entities. Project oversight is an essential management practice to ensure the successful implementation of information technology projects. The purpose is to ensure that the project is being managed in compliance with the project plan; that sound management practices are being observed, that contractors are delivering on their contracts, that the project is adequately staffed and that schedules are reasonable and are being met.

3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions, and Agencies of state government, hereafter referred to as entities.

4.0 REFERENCES:

4.1 K.S.A. 1998 Supp. 75-7203 authorizes the Information Technology Executive Council (ITEC) to: adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state agencies.

4.2  K.S.A 75-7211 directs the Legislative Chief Information Technology Officer (CITO), under the direction of the Joint Committee on Information Technology (JCIT), to monitor state entity execution of information technology projects and at times agreed upon by the three chief information technology officers shall report progress in project execution and the status and changes to the project financial plan.

4.3  K.S.A. 75-7211 directs entity heads to consult with the JCIT before approving any increase above the authorized total cost of a project .that exceeds the lesser of $1,000,000 or 10% of the currently authorized cost. The JCIT will report all such changes and overruns to the senate ways and means and the house appropriations committees.

5.0 DEFINITIONS/BACKGROUND:

5.1 Information Technology Project means a project for a major computer, telecommunications or other information technology improvement with an estimated cumulative cost of $250,000 or more and includes any such project that has proposed expenditures for: (1) new or replacement equipment or software; (2) upgrade improvements to existing equipment and any computer systems, programs or software upgrades therefore; or (3) data or consulting or other professional services for such a project.

5.2 CITO - Chief Information Technology Officer, duties defined in K. S. A. 1998 Supp. 75-7205, 75-7206, 75-7207.

5.3 ITEC - refers to the Information Technology Executive Council.

5.4 JCIT refers to the Joint Committee on Information Technology.

5.5 Information Technology Project Plan refers to the plan defined by the Division of Budget instructions for information technology projects.

5.6 IV&V refers to external Independent Verification and Validation.

5.7 Risk Assessment refers to the risk management process the entity will use to manage project risks as outlined in the Kansas Project Management Methodology (PMM).

6.0 POLICY:

6.1 All information technology projects will be conducted under the oversight of the entity executive management.

6.2 The Branch CITO, when reviewing projects that are subject to CITO review, will evaluate the size, complexity, risk and consequences of failure for proposed projects and will determine to what extent IV&V oversight will be required to adequately monitor the execution of entity information technology projects. At a minimum, large projects over $10.0 million in a three-year life cycle will be required to engage external IV&V on the project. The IV&V assessment will be submitted directly and simultaneously to the Project Sponsor and the Branch CITO. The IV&V assessment will also be made available to the Legislative CITO, entity head and project manager.

6.3 After review of the Information Technology Project Plan, The Branch CITO will determine the need for external IV&V. The Branch CITO will recommend the IV&V contractor for the project and recommend an amount to be included in the project budget to cover the cost of an appropriate level of oversight by an external IV&V contractor.

6.4 Entities will fully support external reviews in order to maximize the state's investment in information technology projects.

6.5 Oversight requirements for a small project with very low risk may be fulfilled with routine project status reporting to the Branch CITO.

7.0 PROCEDURES:

7.1 The Branch CITO, in consultation with the state entity, will use the Information Technology Project Plan and the initial risk assessment to determine oversight requirements for each project. At a minimum, large projects over $10.0 million in a three-year life cycle will be required to engage independent external oversight of the project.

7.2 The IV&V assessment will be submitted directly and simultaneously to the Project Sponsor and the Branch CITO. The IV&V assessment will also be made available to the Legislative CITO, entity head and project manager. Those assessments will provide a clear definition and analysis of major problems and issues associated with the ongoing implementation of the project, as outlined in ITEC Policy Guideline 2510A.

7.3 IV&V contractors will assist the project manager in conducting periodic risk assessments at strategic points throughout the life of the project.

8.0 RESPONSIBILITIES:

8.1 Heads of entities are responsible to establish procedures for their organization's compliance with the requirements of this policy.

8.2 The Chief Information Technology Officer, Executive Branch, is responsible for the maintenance of this policy.

9.0 CANCELLATION: All previous versions of this policy.